在NHibernate中的sql表达式中给参数 [英] give parameters in sql expression in NHibernate

问题描述

我想在NHibernate的查询中使用归类，显然唯一的方法(至少从我发现的方法中)是通过添加sql表达式(

I want to use collation in a query in NHibernate and apparently the only way to do that (at least from what I found) is through adding an sql expression (Can I customize collation of query results in nHibernate?)

所以我有类似的东西

c.Add(Expression.Sql("Title COLLATE Divehi_90_BIN2 LIKE ?", 
                     title, 
                     NHibernateUtil.String))

但是这与确切的字符串匹配，我想在两边都使用％.

However this matches the exact string and I want to use % on both sides.

Title COLLATE Divehi_90_BIN2 LIKE %?%给我一个错误，

但将其填充在标题上:"%" + title + "%"可行.

but padding it on the title: "%" + title + "%" works.

我的问题是-有没有一种方法可以正确地在Expression.Sql中提供参数，因为在两侧都使用％看起来像一个安全漏洞-我正在邀请查询注入.

My question is - Is there a way to properly give parameters in Expression.Sql because using the % on both sides looks like a security flaw - that I am inviting query injection.

PS.我无法在数据库级别更改列的排序规则，因为该列包含两种语言的数据.

PS. I can't change the collation of the column at the database level because the column contains data that are of two languages.

推荐答案

问题是%@p0%不是带引号的字符串，即'%@p0%'.

The problem is that %@p0% is not a quoted string, i.e. '%@p0%'.

从 NHibernate文档看来，这是推荐的形式. /p>

From the NHibernate documentation it seems this is the recommended form.

Expression.Sql("Title COLLATE Divehi_90_BIN2 LIKE ?", 
               String.Format("%{0}%", title),
               NHibernateUtil.String)

请注意，字符串String.Format("%{0}%", title)将作为参数传递，因此您不会通过这种方法邀请sql注入攻击.

Please note that the string String.Format("%{0}%", title) will be passed in as a parameter so you are not inviting sql injection attacks by this approach.

这篇关于在NHibernate中的sql表达式中给参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！