SQL 注入攻击模拟无法正常工作

SQL injection attack simulation does not work properly

我在教程中看到为了在JDBC中模拟一个SQL注入攻击实例,在SQLite[=中写了如下语句28=] 加上双引号,然后加载记录。但是当我用单引号在 oracle 中写相同的短语时,它会出错。为什么?

//in main
System.out.println("Enter a title:");
DB.querySongArtistView(scanner.nextLine());

//in database class
private static final String QUERY_SONG_ARTIST_VIEW = "SELECT ARTIST , ALBUM , TRACK FROM SONG_ARTIST WHERE TITLE ='";


public Optional<List<SongArtist>> querySongArtistView(String title) {
    List<SongArtist> songArtistListView = null;
try (Statement statement = connection.createStatement();
         ResultSet resultSet = statement.executeQuery(QUERY_SONG_ARTIST_VIEW + title + "'")) {
        songArtistListView = new ArrayList<>();

        while (resultSet.next())
            songArtistListView.add(new SongArtist(resultSet.getString(1),
                    resultSet.getString(2), resultSet.getInt(3)));
    } catch (SQLException e) {
        displayExceptionMessage(e);
    }
    return Optional.ofNullable(songArtistListView);
}

教程输入的内容:

Go Your Own Way" or 1=1 or ";

我在 oracle 中的查询:

Go Your Own Way' or 1=1 or ';

错误:

[42000][920] ORA-00920: invalid relational operator Position: 62

我希望有效但无效的查询:

SELECT ARTIST, ALBUM , TRACK FROM SONG_ARTIST WHERE TITLE ='Go Your Own Way' or 1=1 or '';

它抱怨 or '' 部分 - 需要将空字符串与某些内容进行比较(这有点棘手,因为 oracle 将其视为 null)。

它应该与类似的东西一起工作:

Go Your Own Way' or 'X' = 'X

这会产生

SELECT ARTIST, ALBUM , TRACK FROM SONG_ARTIST WHERE TITLE ='Go Your Own Way' or 'X' = 'X';

which is valid,至少。