sqlite: importFromJson on android fails to build SQL Statement with `'` in values.

Describe the bug Values may contain ' that are not escaped. This leads to syntax error, or sql injection breach.

To Reproduce Using importFromJson, use a value with a '. That breaks the syntax.

Expected behavior Escape ' chars in values to safely built the whole SQL statement.

https://github.com/capacitor-community/sqlite/blob/89ffbee450eea5152a30863c4dc8f3158446fab2/android/src/main/java/com/getcapacitor/community/database/sqlite/SQLite/ImportExportJson/ImportFromJson.java#L444

Smartphone

  • Device: Samsung Galaxy J5
  • OS: android 9

About this issue

  • Original URL
  • State: closed
  • Created 7 months ago
  • Reactions: 1
  • Comments: 19 (10 by maintainers)

Most upvoted comments

@mmouterde As already said the @capacitor-community/sqlite will not support the reserved words in the table’s field name. In 5.5.1-1, the following will work:

{
  database : "db-from-json492",
  version : 1,
  encrypted : false,
  mode : "full",
  tables :[
      {
          name: "company",
          schema: [
              {column:'id', value: 'CHARACTER(36) PRIMARY NOT NULL'},
              {column:'email', value:'TEXT UNIQUE NOT NULL'},
              {column:'name', value:'VARCHAR(25) NOT NULL'},
              {column:'age', value:'INT NOT NULL'},
              {column:'sql_deleted', value:'BOOLEAN DEFAULT 0 CHECK (sql_deleted IN (0, 1))'},
              {column:'last_modified', value:'INTEGER DEFAULT (strftime(\'%s\', \'now\'))'},
          ],
          values: [
              ["fe3c700c-9b21-11ee-b9d1-0242ac120002","c.oconnors@example.com","O'Connors",55,0,1608216034],
              ["fe3c72d2-9b21-11ee-b9d1-0242ac120002","j.lawson@example.com",`L'awson has "nearly" something`,32,0,1608216034],
              ["fe3c7408-9b21-11ee-b9d1-0242ac120002",'d.bush@example.com','Bush',44,0,1608216034],
        ]
      },
    ]
}

as you will notice

  • to store UUID in a field the field type is CHAR(36) or TEXT (this was already working in previous releases)
  • In a Json Object if you have a ’ char you can define the value like this “O’Connor”
  • In a Json Object if you have multiple ’ char and multiple " char the value must be defined as L'awson has "nearly" something

in an execute command:

const row: Array<Array<any>> = [[`W''hi"teley`,'Whiteley.com',30.2],[`J''o"ne"s`,"Jones.com",44]];
const twoUsers: string = `
INSERT INTO users (name,email,age) VALUES ('${row[0][0]}','${row[0][1]}',${row[0][2]});
INSERT INTO users (name,email,age) VALUES ('${row[1][0]}','${row[1][1]}',${row[1][2]});
`;
 const ret = await db.execute(twoUsers, true, true);

in a run command:

      const sql = `INSERT INTO users (name,email,age) VALUES (?,?,?);`;
      const val = [`J'ee"pq`,'jeepq@example.com',45];
      const ret = await db.run(sql, val, false, 'no', true);

Voilà

+1
jepiqueau on Dec 15, 2023

@mmouterde I come back on this after futher tests on other platforms value like “O’Connor” works for web, iOS and Electron so it will be fixed for Android in next release.

+1
jepiqueau on Dec 12, 2023
Read more comments on GitHub
← sqlite: Error: The jeep-sqlite element is not present in the DOM when trying to generate migration files via TypeOrm CLI
sqlite: runTest failed Error: Attempt to invoke virtual method 'java.lang.String com.getcapacitor.community.database.sqlite.CapacitorSQLite.echo(java.lang.String)' on a null object reference` →