[英]Postgres FromSqlRaw Doesn't take params correctly
TL&DR: TL&DR:
Below is a working INSECURE method of performing string interpolation.下面是一种执行字符串插值的工作INSECURE 方法。
[HttpGet("/home/dashboard/search")]
public async Task<ActionResult> dashboard_search([FromQuery] string search_string)
{
var query_string = $"select id, country_code, country_name, count(*) OVER() as total_count from ipaddresses where ipaddress::text LIKE '%{search_string}%' limit 8;";
var results = await this._context.getDashboardSearchIpAddresses.FromSqlRaw(query_string).ToListAsync();
return Ok(results);
}
This is however vulnerable to a SQL injection.然而,这很容易受到 SQL 注入的影响。 <-- DON'T DO THIS !!! <-- 不要这样做!
The Microsoft documentation says the following: Microsoft 文档说明如下:
FromSqlInterpolated is similar to FromSqlRaw but allows you to use string interpolation syntax. FromSqlInterpolated 类似于 FromSqlRaw,但允许您使用字符串插值语法。 Just like FromSqlRaw, FromSqlInterpolated can only be used on query roots.与 FromSqlRaw 一样,FromSqlInterpolated 只能用于查询根。 As with the previous example, the value is converted to a DbParameter and isn't vulnerable to SQL injection.与前面的示例一样,该值被转换为 DbParameter,并且不易受到 SQL 注入的影响。
When I try to use the FromSqlRaw i get an empty result set当我尝试使用 FromSqlRaw 时,我得到一个空的结果集
[HttpGet("/home/dashboard/search")]
public async Task<ActionResult> dashboard_search([FromQuery] string search_string)
{
var results = await this._context.getDashboardSearchIpAddresses.FromSqlRaw("select id, country_code, country_name, count(*) OVER() as total_count from ipaddresses where ipaddress::text LIKE '%{0}%' limit 8;",search_string).ToListAsync();
return Ok(results); }
SEE Reference: https://docs.microsoft.com/en-us/ef/core/querying/raw-sql参见参考: https://docs.microsoft.com/en-us/ef/core/querying/raw-sql
Sorry not in front of PC to test, maybe something like:抱歉不在电脑前测试,可能是这样的:
var searchParam = new SqlParameter("searchParam", search_string);
var results = await this._context.getDashboardSearchIpAddresses.FromSqlInterpolated($"select id, country_code, country_name, count(*) OVER() as total_count from ipaddresses where ipaddress::text LIKE %{searchParam}% limit 8").ToListAsync();
Or this using Raw:或者使用 Raw:
var searchParam = new SqlParameter("searchParam", $"%{search_string}%");
var results = await this._context.getDashboardSearchIpAddresses.FromSqlRaw("select id, country_code, country_name, count(*) OVER() as total_count from ipaddresses where ipaddress::text LIKE @searchParam limit 8;",searchParam).ToListAsync();
The above is the 'correct' answer for all cases, except when using Postgres以上是所有情况的“正确”答案,使用 Postgres 时除外
var searchParam = new NpgsqlParameter("searchParam", $"%{search_string}%");
var results = await this._context.getDashboardSearchIpAddresses.FromSqlRaw("select id, split_part(text(ipaddress),'/',1) as ipaddress, country_code, country_name, count(*) OVER() as total_count from ipaddresses where ipaddress::text LIKE @searchParam limit 8;", searchParam).ToListAsync();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.