在NHibernate中的sql表达式中给参数 [英] give parameters in sql expression in NHibernate
问题描述
我想在NHibernate的查询中使用归类,显然唯一的方法(至少从我发现的方法中)是通过添加sql表达式(
I want to use collation in a query in NHibernate and apparently the only way to do that (at least from what I found) is through adding an sql expression (Can I customize collation of query results in nHibernate?)
所以我有类似的东西
c.Add(Expression.Sql("Title COLLATE Divehi_90_BIN2 LIKE ?",
title,
NHibernateUtil.String))
但是这与确切的字符串匹配,我想在两边都使用%.
However this matches the exact string and I want to use % on both sides.
Title COLLATE Divehi_90_BIN2 LIKE %?%
给我一个错误,
但将其填充在标题上:"%" + title + "%"
可行.
but padding it on the title: "%" + title + "%"
works.
我的问题是-有没有一种方法可以正确地在Expression.Sql中提供参数,因为在两侧都使用%看起来像一个安全漏洞-我正在邀请查询注入.
My question is - Is there a way to properly give parameters in Expression.Sql because using the % on both sides looks like a security flaw - that I am inviting query injection.
PS.我无法在数据库级别更改列的排序规则,因为该列包含两种语言的数据.
PS. I can't change the collation of the column at the database level because the column contains data that are of two languages.
推荐答案
问题是%@p0%
不是带引号的字符串,即'%@p0%'
.
The problem is that %@p0%
is not a quoted string, i.e. '%@p0%'
.
从 NHibernate文档看来,这是推荐的形式. /p>
From the NHibernate documentation it seems this is the recommended form.
Expression.Sql("Title COLLATE Divehi_90_BIN2 LIKE ?",
String.Format("%{0}%", title),
NHibernateUtil.String)
请注意,字符串String.Format("%{0}%", title)
将作为参数传递,因此您不会通过这种方法邀请sql注入攻击.
Please note that the string String.Format("%{0}%", title)
will be passed in as a parameter so you are not inviting sql injection attacks by this approach.
这篇关于在NHibernate中的sql表达式中给参数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!