Allow params and typing to criteria SQLRestriction
Closed this issue · 2 comments
jclausen commented
The java method accepts params and typing of params ( https://github.com/hibernate/hibernate-orm/blob/master/hibernate-core/src/main/java/org/hibernate/criterion/Restrictions.java#L463 ), while the CBORM implementation accepts only the first argument of an SQL strings.
Implement the ability for the method to accept an array of params as the second argument and either auto-type or allow a third argument of types.
This will allow search building which might require native DBMS functionality to stay SQL injection-safe
lmajano commented
Noted
lmajano commented
sqlRestriction()deprecated in favor of the shorthand notation:sql()- The
sql()restriction now supports binding positional parameters. You can pass them in an array and we will infer the types:sql( "id = ? and isActive = ?", [ "123", true ] ). Or you can pass in a struct of{value:"", type:""}instead:
restrictions.sql( "userName = ? and firstName like ?", [
{ value : "joe", type : "string" },
{ value : "%joe%", type : "string" }
] );
The available types are the following which match the Hibernate Types
this.TYPES = {
"string" : "StringType",
"clob" : "ClobType",
"text" : "TextType",
"char" : "ChareacterType",
"boolean" : "BooleanType",
"yesno" : "YesNoType",
"truefalse" : "TrueFalseType",
"byte" : "ByteType",
"short" : "ShortType",
"integer" : "IntegerType",
"long" : "LongType",
"float" : "FloatType",
"double" : "DoubleType",
"bigInteger" : "BigIntegerType",
"bigDecimal" : "BigDecimalType",
"timestamp" : "TimestampType",
"time" : "TimeType",
"date" : "DateType",
"calendar" : "CalendarType",
"currency" : "CurrencyType",
"locale" : "LocaleType",
"timezone" : "TimeZoneType",
"url" : "UrlType",
"class" : "ClassType",
"blob" : "BlobType",
"binary" : "BinaryType",
"uuid" : "UUIDCharType",
"serializable" : "SerializableType"
};