Fixing HQL encoding

--HG-- branch : 1.x
2025-12-02 19:44:02 +08:00 · 2013-06-07 18:23:23 -07:00
parent c2ef1f3baf
commit d8c720c2d2
2 changed files with 21 additions and 10 deletions
--- a/src/Orchard.Tests/ContentManagement/HqlExpressionTests.cs
+++ b/src/Orchard.Tests/ContentManagement/HqlExpressionTests.cs
@@ -150,6 +150,9 @@ namespace Orchard.Tests.ContentManagement {
            result = queryWhere(x => x.Like("StringStuff", "bc", HqlMatchMode.Anywhere));
            Assert.That(result.Count(), Is.EqualTo(1));

+            result = queryWhere(x => x.Like("StringStuff", "bc'", HqlMatchMode.Anywhere));
+            Assert.That(result.Count(), Is.EqualTo(0));
+
            result = queryWhere(x => x.Like("StringStuff", "ab", HqlMatchMode.Anywhere));
            Assert.That(result.Count(), Is.EqualTo(1));

--- a/src/Orchard/ContentManagement/IHqlCriterion.cs
+++ b/src/Orchard/ContentManagement/IHqlCriterion.cs
@@ -119,22 +119,30 @@ namespace Orchard.ContentManagement {
            return from object value in values select FormatValue(value, quoteStrings);
        }

+        public static string FormatValue(string value, bool quoteStrings = true) {
+            return FormatValue((object)value, quoteStrings);
+        }
+
        public static string FormatValue(object value, bool quoteStrings = true) {
            var typeCode = Type.GetTypeCode(value.GetType());
            switch (typeCode) {
                case TypeCode.String:
                    if (quoteStrings) {
-                        return String.Concat("'", Convert.ToString(value, CultureInfo.InvariantCulture), "'");
+                        return String.Concat("'", EncodeQuotes(Convert.ToString(value, CultureInfo.InvariantCulture)), "'");
                    }

-                    return Convert.ToString(value, CultureInfo.InvariantCulture);
+                    return EncodeQuotes(Convert.ToString(value, CultureInfo.InvariantCulture));
                case TypeCode.DateTime:
                    // convert the date time to a valid string representation for Hql
                    var sortableDateTime = ((DateTime)value).ToString("yyyy-MM-dd HH:mm:ss", CultureInfo.InvariantCulture);
-                    return quoteStrings ? String.Concat("'", sortableDateTime, "'") : sortableDateTime;
+                    return quoteStrings ? String.Concat("'", EncodeQuotes(sortableDateTime), "'") : sortableDateTime;
            }

-            return Convert.ToString(value, CultureInfo.InvariantCulture);
+            return EncodeQuotes(Convert.ToString(value, CultureInfo.InvariantCulture));
+        }
+
+        private static string EncodeQuotes(string value) {
+            return value.Replace("'", "''");
        }

        public static IHqlCriterion AllEq(IDictionary propertyNameValues) {
@@ -248,20 +256,20 @@ namespace Orchard.ContentManagement {
        public static BinaryExpression Like(string propertyName, string value, HqlMatchMode matchMode) {
            switch (matchMode) {
                case HqlMatchMode.Start:
-                    value = "'" + value + "%'";
+                    value = "'" + FormatValue(value, false) + "%'";
                    break;
                case HqlMatchMode.Exact:
-                    value = "'" + value + "'";
+                    value = "'" + FormatValue(value, false) + "'";
                    break;
                case HqlMatchMode.Anywhere:
-                    value = "'%" + value + "%'";
+                    value = "'%" + FormatValue(value, false) + "%'";
                    break;
                case HqlMatchMode.End:
-                    value = "'%" + value + "'";
+                    value = "'%" + FormatValue(value, false) + "'";
                    break;
            }

-            return new BinaryExpression("like", propertyName, FormatValue((object)value, false));
+            return new BinaryExpression("like", propertyName, value);
        }

        public static IHqlCriterion Lt(string propertyName, object value) {