Open Altarus1 opened 2 years ago
Really? I can't reproduce this. Are you calling dao.create(...)
or dao.createIfNotExists(...)
? All of the fields of an object being created are passed in as SQL arguments and should be resistant to all quotes. We would fail on the SQL injection test otherwise.
// this works
Dao<Foo, String> dao = createDao(Foo.class, true);
Foo foo = new Foo();
foo.stringField = "quotes in here \" and \'";
assertEquals(1, dao.create(foo));
assertEquals(foo.stringField, dao.queryForAll().get(0).stringField);
Are you sure you aren't doing a query with quotes. If so then this is a FAQ. Take a look in the docs for SelectArg.
If this is happening with create, can you come up with a MRE? Thanks!
try { Dao<classExample, Integer> dao = getDao(classExample.class); dao.createIfNotExists(obj); } catch (SQLException e) { e.printStackTrace(); }
classExample have string, and if I try to insert an object with single quote ('), then it catch exception. In log, we can see that sql request is using single quote to round string values