Security vulnerability - SQL injection #147 #84
Description
This issue is to collect the similar ones reported about ORM lite not properly escaping parameters in the produced SQL. This may lead to the well known SQL injection vulnerability[1], which is quite serious. I have found the following issues related to this:
- #146 - EXTERNAL DATA IN SQL QUERIES [SAST] [M7] [CWE-89]
- #137 - Exception when create object with string including single quote
- #81 - security issue -SQL Injection (this should be reopened as it does not apply to table names only) -
- #138 - log4j see this comment
- #178 - Apostrophe causes SQLException
@j256 , it would be great to have your comment, even if you do not have time to fix it; maybe somebody will be happy to contribute the fix. I'd like also to add to the discussion that you may have give already an answer in one of your comment to #178 above:
This is a FAQ: https://ormlite.com/docs/quotes-in-queries
Using a SelectArg is the appropriate way of fixing the issue and is a good idea for any user input to fix SQL injection errors.
However, IMHO, today a ORM library should just not provide a SQL injection vulnerability in any circumstances.
Many thanks in advance