[nhusers] Re: problems with dynamic order by and filtering

Wed, 26 Aug 2009 05:21:54 -0700 

I think you should use criteria for this kind of query.

2009/8/26 Christian Setzkorn <[email protected]>

> Hi,
>
>
>
> I have implemented the following simplified code to run a dynamic SQL query
> using the Nhibernate 'data access' facility:
>
>
>
> query = @"select ... x = :x";
>
>
>
>             if (_search != null)
>
>             {
>
>                 if (searchOper.Equals("cn")) // contains
>
>                 {
>
>                     search_expression = String.Format( " and {0} like
> '%{1}%'", searchField, searchString.ToLower());
>
>                 }
>
>
>
>                 if (searchOper.Equals("bw")) // begins with
>
>                 {
>
>                     search_expression = String.Format(" and {0} like
> '{1}%'", searchField, searchString.ToLower());
>
>                 }
>
>
>
>                 if (searchOper.Equals("ew")) // ends with
>
>                 {
>
>                     search_expression = String.Format(" and {0} like
> '%{1}'", searchField, searchString.ToLower());
>
>                 }
>
>
>
>                 if (searchOper.Equals("eq")) // equal
>
>                 {
>
>                     search_expression = String.Format(" and {0} = '{1}'",
> searchField, searchString.ToLower());
>
>                 }
>
>             }
>
>
>
>             if (sord.Trim().Equals("desc") == true)
>
>             {
>
>                 order_expression = String.Format(" order by {0} desc",
> sidx);
>
>             }
>
>             else
>
>             {
>
>                 order_expression = String.Format(" order by {0} asc",
> sidx);
>
>             }
>
>
>
>             query += search_expression + order_expression;
>
>
>
>             original_data =
> NHibernateHelper.GetCurrentSession().CreateSQLQuery(query)
>
>                 .SetParameter("x", x)
>
>                 .List<object>();
>
>
>
> This works fine but I think it could be improved. For example, is there a
> danger of SQL injection attack???
>
>
>
> An improvement would be to use SetParameter and/or SetString to change to
> original query and add the search_expression and order_expression. However,
> I seem to have problems with this. ADO.NET, which I presume Nhibernate
> uses, says it cannot execute the query when I try to use SetParameter and/or
> SetString.
>
>
>
> Any idea why that is? Or is my code ok?
>
>
>
> Thanks in advance.
>
>
>
> Best wishes,
>
>
> Christian
> >
>

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"nhusers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to 
[email protected]
For more options, visit this group at 
http://groups.google.com/group/nhusers?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to