search

j256 / ormlite-android

ORMLite Android functionality used in conjunction with ormlite-core
http://ormlite.com/
ISC License
1.59k stars 367 forks source link

UpdateBuilder use Nonparametric statement cause sql injection problem #130

Closed programmerAbc closed 3 years ago

programmerAbc commented 3 years ago

This is my code

 UpdateBuilder<AudioFile, String> updateBuilder = AudioFileDao.getDao().updateBuilder();
 updateBuilder.updateColumnValue(AudioFile.PERCENTAGE, 100);
 updateBuilder.updateColumnValue(AudioFile.EXTRACT_TIMESTAMP, System.currentTimeMillis());
 updateBuilder.updateColumnValue(AudioFile.PROGRESS_STATUS, AudioExtractUtil.PROGRESS_STATUS_EXTRACT_FINISHED);
 updateBuilder.updateColumnValue(AudioFile.AUDIO_FILE_URL, model.getAudioPath());
 updateBuilder.where().eq(AudioFile.ID, model.getId());
 updateBuilder.update();

and the value of

 model.getAudioPath()

is /storage/emulated/0/Android/data/wudao.com.chinadance.video/files/audio东方舞《EhtartMa'ak》异域风情太柔美了-【单色舞蹈】(成都)晋阳路馆东方舞兴趣班展示(2021991824)21836.mp3

and the sql injection problem is caused by ' in《EhtartMa'ak》 the following code is the sql which generated by UpdateBuilder

UPDATE `AudioFile` SET `percentage` = 100 ,`extractTimestamp` = 1631188140572 ,`progressStatus` = 3 ,`audioFileUrl` = '/storage/emulated/0/Android/data/wudao.com.chinadance.video/files/audio东方舞《EhtartMa'ak》异域风情太柔美了-【单色舞蹈】(成都)晋阳路馆东方舞兴趣班展示(2021991947)8710.mp3' WHERE `id` = '90A4F941483C4DCB9C787761A67D6319'

and from my research this sql is generated by com.j256.ormlite.stmt.StatementBuilder.buildStatementString

noordawod commented 3 years ago

I don't see how this is related to Ormlite? It seems the model's data is what you wrote, so the getter (of the model) returns that value.

j256 commented 3 years ago

I'm not 100% sure what you are asking but I think you need to use the SelectArg class. Just had another question like this here: https://github.com/j256/ormlite-core/issues/219

If you do a query in the documentation for query arguments or SQL injection you would have seen the docs on this subject: https://ormlite.com/docs/select-arg

In the future if you can use a smaller example, it would help @noordawod and I answer your questions. See: https://stackoverflow.com/help/minimal-reproducible-example

programmerAbc commented 3 years ago

What I encountered was the SQL injection problem that occurred when the user input string (including ') was updated to the database through UpdateBuilder, and SelectArg was the correct way to solve this problem, thank you for your help