如何防止“SQL注入”在核心数据？ [英] How to prevent "SQL Injection" in Core Data?

问题描述

我在几次迭代中构建了一个非常复杂的谓词，并希望在谓词中立即提供匹配的值。

而不是：

  [NSPredicate predicateWithFormat：@departmentName like [c]％@]; 
  

我想做：

NSString * str = [NSString stringWithFormat：@departmentName like [c]'％@'，departmentName];
[NSPredicate predicateWithFormat：str];

由于这是一个愚蠢的替换，我想通过输入垃圾可以 p>

我找不到任何可以神奇地引用给我的价值的东西。

原因是需要在几次迭代中构建复杂的谓词，因此我必须构造一个大的谓词字符串。模板不能与SUBQUERY一起使用。所以我需要立即在字符串中提供值，因为我不想做出20种不同的谓词初始化，取决于我有多少值我对谓词格式。

解决方案

直接使用 NSComparisonPredicate ，绕过谓词格式问题。

  NSPredicate * fetchPredicate = [NSComparisonPredicate predicateWithLeftExpression：[NSExpression expressionForKeyPath：@departmentName] 
 rightExpression：[NSExpression expressionForConstantValue：searchTerm] 
 modifier：NSDirectPredicateModifier 
 type：NSLikePredicateOperatorType 
 options：0]; 
  

阅读谓词编程指南在代码中直接创建谓词，并检查 NSComparisonPredicate

I am building a pretty complex predicate in several iterations, and want to supply the matching values right away in the predicate.

Instead of:

[NSPredicate predicateWithFormat:@"departmentName like[c] %@"];

I want to do:

NSString *str = [NSString stringWithFormat:@"departmentName like[c] '%@'", departmentName]; [NSPredicate predicateWithFormat:str];

Since this is a dumb substitution, I guess it's possible to "hack" the predicate accidently by entering garbage.

I couldn't find anything that would "magically quote" that value for me.

Reason is, that I need to build up a complex predicate in several iterations, so I have to construct a big predicate string. Templates don't work with SUBQUERY. So I need to provide the values right away in the string, since I don't want to make 20 different predicate initializations depending on how many values I have for the predicate format.

解决方案

Use NSComparisonPredicate directly, and bypass the predicate format issues.

NSPredicate *fetchPredicate = [NSComparisonPredicate predicateWithLeftExpression:[NSExpression expressionForKeyPath:@"departmentName"]
                                                                 rightExpression:[NSExpression expressionForConstantValue:searchTerm]
                                                                        modifier:NSDirectPredicateModifier
                                                                            type:NSLikePredicateOperatorType
                                                                         options:0];

Have a read through the Predicate Programming Guide "Creating Predicates Directly in Code", and check the class reference for NSComparisonPredicate

这篇关于如何防止“SQL注入”在核心数据？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！