Hi,
I have implemented the following simplified code to run a dynamic SQL query
using the Nhibernate 'data access' facility:
query = @"select ... x = :x";
if (_search != null)
{
if (searchOper.Equals("cn")) // contains
{
search_expression = String.Format( " and {0} like
'%{1}%'", searchField, searchString.ToLower());
}
if (searchOper.Equals("bw")) // begins with
{
search_expression = String.Format(" and {0} like
'{1}%'", searchField, searchString.ToLower());
}
if (searchOper.Equals("ew")) // ends with
{
search_expression = String.Format(" and {0} like
'%{1}'", searchField, searchString.ToLower());
}
if (searchOper.Equals("eq")) // equal
{
search_expression = String.Format(" and {0} = '{1}'",
searchField, searchString.ToLower());
}
}
if (sord.Trim().Equals("desc") == true)
{
order_expression = String.Format(" order by {0} desc",
sidx);
}
else
{
order_expression = String.Format(" order by {0} asc", sidx);
}
query += search_expression + order_expression;
original_data =
NHibernateHelper.GetCurrentSession().CreateSQLQuery(query)
.SetParameter("x", x)
.List<object>();
This works fine but I think it could be improved. For example, is there a
danger of SQL injection attack???
An improvement would be to use SetParameter and/or SetString to change to
original query and add the search_expression and order_expression. However,
I seem to have problems with this. ADO.NET, which I presume Nhibernate uses,
says it cannot execute the query when I try to use SetParameter and/or
SetString.
Any idea why that is? Or is my code ok?
Thanks in advance.
Best wishes,
Christian
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"nhusers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nhusers?hl=en
-~----------~----~----~----~------~----~------~--~---
