stackoom
  简体   繁体   中英

Hibernate Query Escaping (from Grails' GORM) - again

 原文  2011-06-22 12:15:06       hibernate/ grails/ escaping

Question

I have seen many related question, but none of them is exactly my problem.

General question: where exactly is specified how the things get escaped in Hibernate, in particular for Grails GORM?

Particular problem:

I want to execute this: 

"WHERE extractValue(field, '//value[@my_attribute=\""+localeStr+"\"]')"

You can notice, the localeStr is not escaped, and included in another string of string. How can I escape this, if possible with a parameter (something like :parameter)?

Thanks.

1 answers

solution1
 0  2011-06-22 14:17:05

Here, I believe, in "bind parameters" section . Plus general Groovy escaping.

Though, sorry, it's not clear - escape what? Do you need localeStr to contain a parameter, or opposite, to sanitize out any possible parameter?

Removing ":" and "?" should do, as for me. Though, it's a bad idea to concatenate an untrusted String directly into a query anyway.

The best approach to sanitize a String parameter is to, er, pass it as a parameter: 

DomainClass.findAll(
   "WHERE extractValue(field, '//value[@my_attribute=:attrValue]',
   [attrValue: localeStr])")

See findAll() doc .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Grails GORM (Hibernate) query Grails/GORM/Hibernate app is not SQL escaping input data How to write this Grails GORM Hibernate query Grails Conversion from Hibernate XML to GORM grails/gorm/mysql/hibernate Grails GORM JOIN in query Grails: Filter gorm query Grails:Replacing GORM with Hibernate class Grails GORM Rest Plugin and Hibernate How to implement this grails/gorm like hibernate?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM