Question

我正在尝试参数化当前正在运行且SQL注入攻击已经成熟的查询：

qryAwards = ORMExecuteQuery(
    "from Award where awardID in (#form.deleteAwardList#) and Game.Season.User.userID=:uid",
    {uid=session.userID}
);
if(not isNull(qryAwards) and arrayLen(qryAwards)){
    for(i in qryAwards){
        entityDelete(i);
    }
}

我尝试了这个，让param没有单引号：

qryAwards = ORMExecuteQuery(
    "from Award where awardID in (:awardList) and Game.Season.User.userID=:uid",
    {awardList=form.deleteAwardList, uid=session.userID}
);

我一直收到以下错误：

The value 117,118 cannot be converted to a number.

这一点，用单引号括起来的参数：

qryAwards = ORMExecuteQuery(
    "from Award where awardID in (':awardList') and Game.Season.User.userID=:uid",
    {awardList=form.deleteAwardList, uid=session.userID}
);

给我发出以下错误：

Invalid parameters specified for the query.

Answer 1

在HQL中（这是您在执行ORMExecuteQuery()时使用的内容）IN子句中使用的参数需要作为数组传递。您需要将form.deleteAwardList转换为数组。有几种不同的方法可以解决这个问题，但这会有效。

qryAwards = ORMExecuteQuery(
    "from Award where awardID in (:awardList) and Game.Season.User.userID=:uid",
    {awardList=listToArray( form.deleteAwardList ), uid=session.userID}
);

使用where子句参数化ORM查询

1 个答案: