Re: [PR] Support the JDBC client to prevent SQL injection [iotdb]

Tue, 11 Nov 2025 18:34:51 -0800 


JackieTien97 commented on code in PR #16734:
URL: https://github.com/apache/iotdb/pull/16734#discussion_r2516483196


##########
iotdb-client/jdbc/src/main/java/org/apache/iotdb/jdbc/IoTDBPreparedStatement.java:
##########
@@ -916,12 +916,38 @@ public void setString(int parameterIndex, String x) {
             && !((x.startsWith("'") && x.endsWith("'"))
                 || ((x.startsWith("\"") && x.endsWith("\""))
                     && "tree".equals(getSqlDialect())))))) {
-      this.parameters.put(parameterIndex, "'" + x + "'");
+      // Escape single quotes to prevent SQL injection: ' -> \'
+      String escapedValue = escapeString(x);
+      this.parameters.put(parameterIndex, "'" + escapedValue + "'");
     } else {
       this.parameters.put(parameterIndex, x);
     }
   }
 
+  /**
+   * Escapes single quotes in a string to prevent SQL injection. Replaces each 
single quote (') with
+   * a backslash-escaped single quote (\').
+   *
+   * <p>Note: The backslash in a Java string must be escaped, while the single 
quote in a Java
+   * string can be escaped or not.
+   *
+   * <ul>
+   *   <li>Input "O'Reilly" becomes "O\'Reilly" (correctly escaped)
+   *   <li>Input "a\'b" (Java string literal, actual content is a'b) becomes 
"a\'b"
+   *   <li>Input "a\\'b" (Java string literal, actual content is a\'b) becomes 
"a\\'b"
+   * </ul>
+   *
+   * @param value the string to escape
+   * @return the escaped string
+   */
+  private String escapeString(String value) {
+    if (value == null) {
+      return null;
+    }
+    // Escape single quotes to prevent SQL injection
+    return value.replace("'", "\\'");

Review Comment:
   ```suggestion
       return value.replace("'", "''");
   ```
   using `''` to be the escaper?



##########
iotdb-client/jdbc/src/main/java/org/apache/iotdb/jdbc/IoTDBPreparedStatement.java:
##########
@@ -916,12 +916,38 @@ public void setString(int parameterIndex, String x) {
             && !((x.startsWith("'") && x.endsWith("'"))
                 || ((x.startsWith("\"") && x.endsWith("\""))
                     && "tree".equals(getSqlDialect())))))) {
-      this.parameters.put(parameterIndex, "'" + x + "'");
+      // Escape single quotes to prevent SQL injection: ' -> \'
+      String escapedValue = escapeString(x);
+      this.parameters.put(parameterIndex, "'" + escapedValue + "'");

Review Comment:
   in tree model, constant string can use both `'` and `"`



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to