Escaping SQL clause template tags

ahmetb / orman

lightweight and minimalist ORM for Java/Android. works with SQLite & MySQL. (not actively maintained)

Other

249 stars 47 forks source link

Escaping SQL clause template tags #11

Closed ahmetb closed 13 years ago

ahmetb commented 13 years ago

In QueryTypes, we define e.g.

SELECT {SELECT_COLUMN_LIST} FROM {TABLE_LIST} {JOIN}{WHERE}{GROUP_BY}{HAVING}{ORDER_BY}{LIMIT}

however that can be exploited if some query values do also include these {...} templates and may cause complicated errors. Values manually binded to SQL should be escaped for { and } then must be unescaped.

ahmetb commented 13 years ago

Tried a few queries, however actual value bindings done after clause tag bindings. Does not seem having a vulnerability.