I saw in a tutorial that in order to simulate a SQL injection attack instance in JDBC, it writes the following statement in SQLite with double quotes and then records are loaded. But when I write the same phrase in oracle with a single quote, it gives an error. Why?
//in main
System.out.println("Enter a title:");
DB.querySongArtistView(scanner.nextLine());
//in database class
private static final String QUERY_SONG_ARTIST_VIEW = "SELECT ARTIST , ALBUM , TRACK FROM SONG_ARTIST WHERE TITLE ='";
public Optional<List<SongArtist>> querySongArtistView(String title) {
List<SongArtist> songArtistListView = null;
try (Statement statement = connection.createStatement();
ResultSet resultSet = statement.executeQuery(QUERY_SONG_ARTIST_VIEW + title + "'")) {
songArtistListView = new ArrayList<>();
while (resultSet.next())
songArtistListView.add(new SongArtist(resultSet.getString(1),
resultSet.getString(2), resultSet.getInt(3)));
} catch (SQLException e) {
displayExceptionMessage(e);
}
return Optional.ofNullable(songArtistListView);
}
Things that the tutorial entered as input:
Go Your Own Way" or 1=1 or ";
my query in oracle:
Go Your Own Way' or 1=1 or ';
error:
[42000][920] ORA-00920: invalid relational operator Position: 62
The query that I expect to work but it does not:
SELECT ARTIST, ALBUM , TRACK FROM SONG_ARTIST WHERE TITLE ='Go Your Own Way' or 1=1 or '';
>Solution :
It’s complaining about the or '' part – that empty string needs to be compared to something (which is a bit tricky as oracle treats it as null).
It should work with something like:
Go Your Own Way' or 'X' = 'X
which would generate
SELECT ARTIST, ALBUM , TRACK FROM SONG_ARTIST WHERE TITLE ='Go Your Own Way' or 'X' = 'X';
which is valid, at least.