Description:
The method com.mysql.cj.protocol.a.StringValueEncoder#getString does not escape string values properly, which causes com.mysql.cj.ClientPreparedQuery#asSql to generate incorrect SQL. This may lead to invalid SQL syntax or potential security issues.

How to repeat:
 Connection connection = DriverManager.getConnection("jdbc:mysql://127.0.0.1:3306/test", "root", "123456");

        ClientPreparedStatement preparedStatement = (ClientPreparedStatement) connection.prepareStatement("select * from test where id = ?");
        preparedStatement.setString(1, "'a'");
        for (BindValue bindValue : preparedStatement.getQueryBindings().getBindValues()) {
            byte[] byteValue = bindValue.getByteValue();
//            right
            System.out.println(new String(byteValue, StandardCharsets.UTF_8));
        }
        String sql = ((ClientPreparedQuery) preparedStatement.getQuery()).asSql();
        //error
        System.out.println(sql);

Although this issue does not affect the actual execution of SQL statements, developers who rely on ClientPreparedQuery#asSql to log or reconstruct SQL queries may unknowingly introduce SQL injection risks, depending on how the resulting SQL string is used. This potential vulnerability should be further evaluated.

Hello feng shen,

Thank you for the report and feedback.

regards,
Umesh

I have sent a PR for this issue:
https://github.com/mysql/mysql-connector-j/pull/118

Contribution submitted via Github - Fix Bug #118688	com.mysql.cj.protocol.a.StringValueEncoder#getString does not ha 
(*) Contribution by feng shen (Github ShenFeng312, mysql-connector-j/pull/118#issuecomment-3101958597): I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: git_patch_2681390127.txt (text/plain), 3.59 KiB.