I saw in a tutorial that in order to simulate a SQL injection attack instance in JDBC, it writes the following statement in SQLite with double quotes and then records are loaded. But when I write the same phrase in oracle with a single quote, it gives an error. Why?

//in main
System.out.println("Enter a title:");
DB.querySongArtistView(scanner.nextLine());

//in database class
private static final String QUERY_SONG_ARTIST_VIEW = "SELECT ARTIST , ALBUM , TRACK FROM SONG_ARTIST WHERE TITLE ='";


public Optional<List<SongArtist>> querySongArtistView(String title) {
    List<SongArtist> songArtistListView = null;
try (Statement statement = connection.createStatement();
         ResultSet resultSet = statement.executeQuery(QUERY_SONG_ARTIST_VIEW   title   "'")) {
        songArtistListView = new ArrayList<>();

        while (resultSet.next())
            songArtistListView.add(new SongArtist(resultSet.getString(1),
                    resultSet.getString(2), resultSet.getInt(3)));
    } catch (SQLException e) {
        displayExceptionMessage(e);
    }
    return Optional.ofNullable(songArtistListView);
}

Things that the tutorial entered as input:

Go Your Own Way" or 1=1 or ";

my query in oracle:

Go Your Own Way' or 1=1 or ';

error:

[42000][920] ORA-00920: invalid relational operator Position: 62

The query that I expect to work but it does not:

SELECT ARTIST, ALBUM , TRACK FROM SONG_ARTIST WHERE TITLE ='Go Your Own Way' or 1=1 or '';

CodePudding user response：

It's complaining about the or '' part - that empty string needs to be compared to something (which is a bit tricky as oracle treats it as null).

It should work with something like:

Go Your Own Way' or 'X' = 'X

which would generate

SELECT ARTIST, ALBUM , TRACK FROM SONG_ARTIST WHERE TITLE ='Go Your Own Way' or 'X' = 'X';

which is valid, at least.