Say I have a query like:
session.CreateCriteria(typeof(Category)) .Add( Expression.Like("Name", someVariable) );
WHere someVariable was taken from the querystring, do I have to do checks against sql injection or will nhibernate handle this?
+2
A:
it's handled for you, but to be sure try to do an sql injection, just to prove it's ok.
David Roussel
2009-12-16 15:52:55
+1 This is the correct answer, but to go into a bit more detail on your answer David, the way that this is handled is that NHibernate parameterises your entire query before sending it off to the database server. To see this in action have a look at a profiler like NHProf (www.nhprof.com) so you can see the exact steps taken by NHibernate in this case :)
Jay
2009-12-17 03:18:02
good point Jay, +1.
David Roussel
2009-12-17 10:37:14