UpdateSqlAsync的lambda转换where会多出一个别名,但表名后面却没有

Coldairarrow / EFCore.Sharding

Database Sharding For EFCore

Apache License 2.0

694 stars 143 forks source link

UpdateSqlAsync的lambda转换where会多出一个别名,但表名后面却没有 #89

Closed NCrab1998 closed 3 years ago

NCrab1998 commented 3 years ago

await Db.UpdateSqlAsync(_w => mdfPlanIds.Contains(_w.PLAN_ID), ("AUDITING", UpdateType.Equal, "-1"));

而且mdfPlanIds为毛不是以参数形式传入,这不就有SQL注入风险了么

Coldairarrow commented 3 years ago

你用的什么版本的？你想下怎么实现SQL注入？

NCrab1998 commented 3 years ago

EFCore.Sharding.Oracle 3.1.10.5 以及最新的 5.x 都试过有这个问题;

EFCore.Sharding\DbAccessor\GenericDbAccessor.cs 50行 private string GetFormatedSchemaAndTableName(Type entityType) EFCore.Sharding\DbAccessor\GenericDbAccessor.cs 137行 string sql = $"UPDATE {tableName} SET {string.Join(",", propertySetStr)} WHERE {whereSql.sql}"; 都没见给"{tableName}"加别名

Coldairarrow commented 3 years ago

使用最新版试下，应该没问题的