That type stores enum values as strings in the database. But its method for obtaining SQL compatible literal values just yields the enum value name (or string representation of the underlying type value if not named) as is, not as a SQL string literal.
So, using that type for the few features relying on ObjectToSQLString is very likely to fail. (So, using it as a discriminator, or in a query referencing a static field.)
But it does not allow a practical SQL injection since it is limited to inject a single word having .Net identifier naming constraints. So, I will not fix this in #3547 but I open an issue instead.
While working on a fix for #3516 in #3547, the case of
EnumStringType.ObjectToSQLStringappeared to be invalid on another level.https://github.com/nhibernate/nhibernate-core/blob/e8028fb802a13d02938cdccf81a33252821b8b02/src/NHibernate/Type/EnumStringType.cs#L192-L195
That type stores enum values as strings in the database. But its method for obtaining SQL compatible literal values just yields the enum value name (or string representation of the underlying type value if not named) as is, not as a SQL string literal.
So, using that type for the few features relying on
ObjectToSQLStringis very likely to fail. (So, using it as a discriminator, or in a query referencing a static field.)But it does not allow a practical SQL injection since it is limited to inject a single word having .Net identifier naming constraints. So, I will not fix this in #3547 but I open an issue instead.