Tek*_*kus 6 coldfusion orm hibernate
我正在尝试参数化当前正在运行且SQL注入攻击已经成熟的查询:
qryAwards = ORMExecuteQuery(
"from Award where awardID in (#form.deleteAwardList#) and Game.Season.User.userID=:uid",
{uid=session.userID}
);
if(not isNull(qryAwards) and arrayLen(qryAwards)){
for(i in qryAwards){
entityDelete(i);
}
}
我试过这个,没有单引号的param:
qryAwards = ORMExecuteQuery(
"from Award where awardID in (:awardList) and Game.Season.User.userID=:uid",
{awardList=form.deleteAwardList, uid=session.userID}
);
我一直收到以下错误:
The value 117,118 cannot be converted to a number.
这个,用单引号括起来:
qryAwards = ORMExecuteQuery(
"from Award where awardID in (':awardList') and Game.Season.User.userID=:uid",
{awardList=form.deleteAwardList, uid=session.userID}
);
得到以下错误:
Invalid parameters specified for the query.
在HQL中(当您这样做时ORMExecuteQuery()使用),IN子句中使用的参数需要作为数组传递.您需要转换form.deleteAwardList为数组.有几种不同的方法来处理这个问题,但这会有效.
qryAwards = ORMExecuteQuery(
"from Award where awardID in (:awardList) and Game.Season.User.userID=:uid",
{awardList=listToArray( form.deleteAwardList ), uid=session.userID}
);
| 归档时间: |
|
| 查看次数: |
409 次 |
| 最近记录: |