search

j256 / ormlite-android

ORMLite Android functionality used in conjunction with ormlite-core
http://ormlite.com/
ISC License
1.59k stars 366 forks source link

Exception when create object with string including single quote #137

Open Altarus1 opened 2 years ago

Altarus1 commented 2 years ago

try { Dao<classExample, Integer> dao = getDao(classExample.class); dao.createIfNotExists(obj); } catch (SQLException e) { e.printStackTrace(); } classExample have string, and if I try to insert an object with single quote ('), then it catch exception. In log, we can see that sql request is using single quote to round string values

j256 commented 2 years ago

Really? I can't reproduce this. Are you calling dao.create(...) or dao.createIfNotExists(...)? All of the fields of an object being created are passed in as SQL arguments and should be resistant to all quotes. We would fail on the SQL injection test otherwise.

// this works
Dao<Foo, String> dao = createDao(Foo.class, true);
Foo foo = new Foo();
foo.stringField = "quotes in here \" and \'";
assertEquals(1, dao.create(foo));
assertEquals(foo.stringField, dao.queryForAll().get(0).stringField);

Are you sure you aren't doing a query with quotes. If so then this is a FAQ. Take a look in the docs for SelectArg.

j256 commented 2 years ago

If this is happening with create, can you come up with a MRE? Thanks!