Is a windows allowed filename secure for Injections? (SQL , JavaScript etc.)

Question

I would like to ask if a windows allowed filename is secure for SQL (Oracle and general), JS, xml, etc injections.

The following characters are checked and replaced: /:*?"<>| (also with their ascii values etc). Also the length could not be more than ~180 characters

The checks are made securely, both in client (only for usability) and server side (for security)

The filename is saved to an oracle DB and it has a flow like oracle->java->xml->xslt->browser to be displayed.

EDIT: @Bohemian 's answer points out the insecure part of SQL injection (which could simply be prohibited with the use of prepared statements). How about JS or xml injection? (That could lead to XSS or access to hdd through xslt)

Answer 1

No, it isn't safe. Because windows allows the single quote ' and the semi colon ; in file names.
That combination is all you need to inject SQL:

SQL injection example (in java):

int userid = 999;
String filename = "foo';delete from users;update users set name = 'bar";
String sql = "update users set avatar = '" + filename + "' where id = " + userid;
System.out.println(sql);

Output:

update users set avatar = 'foo';delete from users;update users set name = 'bar' where id = 999

This is valid, and pernicious, SQL.

---

Windows also allows both curly {} and square [] brackets in filenames. I can't think of an example right now, but it seems that a javascript injection would be possible too, perhaps if passed to eval(). (Perhaps someone could provide a working example - feel free to edit one in here)