SQL Injection vulnerability

Question

SQL Injection vulnerability

Closed this issue 10 years ago · 4 comments

This bug is quite bad. We have a query like this:

var players = db.Query<Player>(p => p.DisplayName.Contains(name));

A player has chosen DisplayName of "don't cry for me argentina" which gets translated into:

select [DisplayName],...,[Id] from [Player] where [DisplayName] like '%don't cry for me argentina%'

The single quote is not escaped! I would expect SqlFu to escape string parameters automatically like it does with sql params. It's a matter of time before someone figures out much funnier names than one with just a quote. We quickly changed the query and rolled out a hotfix:

var players = db.Query<Player>("select * from Player where name like @Name", { new Name = "%" + name + "%"});

which gets escaped correctly. Why are these lambda queries not also escaped?

Answer 1 · 2014-06-23T21:03:26.000Z

I've pushed a fix. It also affected StartsWith and EndsWith.

Answer 2 · 2014-06-23T21:17:52.000Z

Thanks for the fast response and fix!

Still, I'll be avoiding this lambda syntax from now, as it has caused unexpected problems more than once now, it's limited in scope and I think now that writing sql this way is not such a great idea.

Answer 3 · 2014-06-23T22:46:30.000Z

Your new Nuget has a dependency for CavemanTools = 3.4.0, the previous package had >= 3.8.1

With 3.4.0 I'll get the SemanticVersion bug back.

Answer 4 · 2014-06-23T23:39:38.000Z

I knew I left something out. I've pushed a new version with the correct dep.