如何防止“SQL注入”在核心数据? [英] How to prevent "SQL Injection" in Core Data?
问题描述
我在几次迭代中构建了一个非常复杂的谓词,并希望在谓词中立即提供匹配的值。
而不是:
[NSPredicate predicateWithFormat:@departmentName like [c]%@];
我想做:
NSString * str = [NSString stringWithFormat:@departmentName like [c]'%@',departmentName];
[NSPredicate predicateWithFormat:str];
由于这是一个愚蠢的替换,我想通过输入垃圾可以 p>
我找不到任何可以神奇地引用给我的价值的东西。
原因是需要在几次迭代中构建复杂的谓词,因此我必须构造一个大的谓词字符串。模板不能与SUBQUERY一起使用。所以我需要立即在字符串中提供值,因为我不想做出20种不同的谓词初始化,取决于我有多少值我对谓词格式。
直接使用 NSComparisonPredicate
,绕过谓词格式问题。
NSPredicate * fetchPredicate = [NSComparisonPredicate predicateWithLeftExpression:[NSExpression expressionForKeyPath:@departmentName]
rightExpression:[NSExpression expressionForConstantValue:searchTerm]
modifier:NSDirectPredicateModifier
type:NSLikePredicateOperatorType
options:0];
阅读谓词编程指南在代码中直接创建谓词,并检查 NSComparisonPredicate
I am building a pretty complex predicate in several iterations, and want to supply the matching values right away in the predicate.
Instead of:
[NSPredicate predicateWithFormat:@"departmentName like[c] %@"];
I want to do:
NSString *str = [NSString stringWithFormat:@"departmentName like[c] '%@'", departmentName]; [NSPredicate predicateWithFormat:str];
Since this is a dumb substitution, I guess it's possible to "hack" the predicate accidently by entering garbage.
I couldn't find anything that would "magically quote" that value for me.
Reason is, that I need to build up a complex predicate in several iterations, so I have to construct a big predicate string. Templates don't work with SUBQUERY. So I need to provide the values right away in the string, since I don't want to make 20 different predicate initializations depending on how many values I have for the predicate format.
Use NSComparisonPredicate
directly, and bypass the predicate format issues.
NSPredicate *fetchPredicate = [NSComparisonPredicate predicateWithLeftExpression:[NSExpression expressionForKeyPath:@"departmentName"]
rightExpression:[NSExpression expressionForConstantValue:searchTerm]
modifier:NSDirectPredicateModifier
type:NSLikePredicateOperatorType
options:0];
Have a read through the Predicate Programming Guide "Creating Predicates Directly in Code", and check the class reference for NSComparisonPredicate
这篇关于如何防止“SQL注入”在核心数据?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!