As part of a Secure Code course I am given a vulnerable Java system, where queries are built up using string concatintion, and so on. Following is the respective code line that I have to SQL inject to retrieve log-in data:
String comment;
int articleID;
//...
stmt.executeUpdate("INSERT INTO comment (text, article_id) VALUES ('" + comment + "', " + articleId + ")");
comment can be set to any text, it is just read plain-text from a textbox. Therefore, I thought about setting the textbox text to an SELECT statement, reading the complete login data (table user has columns login and password):
' || (SELECT login || password FROM user) || '
which in overall should result in the query
INSERT INTO comment (text, article_id) VALUES ('' || (SELECT login || password FROM user) || '', 4)
yet, this results in
org.hsqldb.HsqlException: cardinality violation
Question:
I assume this is because (SELECT login || password FROM user) is not a single string, but a result set, and may therefore not be concatenated using ||.
Is it possible to convert the complete result set to one string in a way it can be used in this SQL injection scenario (in standard SQL / SQL that works on HSQLDB)?
