ormlite-android icon indicating copy to clipboard operation
ormlite-android copied to clipboard
verified publisher icon j256

Exception when create object with string including single quote

Open Altarus1 opened this issue 4 years ago • 2 comments

try { Dao<classExample, Integer> dao = getDao(classExample.class); dao.createIfNotExists(obj); } catch (SQLException e) { e.printStackTrace(); } classExample have string, and if I try to insert an object with single quote ('), then it catch exception. In log, we can see that sql request is using single quote to round string values

Altarus1 avatar Nov 12 '21 11:11 Altarus1

Really? I can't reproduce this. Are you calling dao.create(...) or dao.createIfNotExists(...)? All of the fields of an object being created are passed in as SQL arguments and should be resistant to all quotes. We would fail on the SQL injection test otherwise.

// this works
Dao<Foo, String> dao = createDao(Foo.class, true);
Foo foo = new Foo();
foo.stringField = "quotes in here \" and \'";
assertEquals(1, dao.create(foo));
assertEquals(foo.stringField, dao.queryForAll().get(0).stringField);

Are you sure you aren't doing a query with quotes. If so then this is a FAQ. Take a look in the docs for SelectArg.

j256 avatar Nov 12 '21 16:11 j256

If this is happening with create, can you come up with a MRE? Thanks!

j256 avatar Nov 13 '21 01:11 j256