i need to perform a search on over a table whit a string field that contains accents (á, ì, ü, etc) im using EF 6
first i try i direct search like:
var listaResultados = db_hms.Topology
.Where( t => t.is_active == true && ((t.display_name.Contains(busqueda))||(t.detail.Contains(busqueda))))
but this is accent sensitive, then i try this:
t.display_name.IndexOf(busqueda, StringComparison.InvariantCultureIgnoreCase) >= 0
but is not supported on linq to Entities
any other idea please
pd: i need to perform the search on a "Contains" way, not a starts whit.
These comparisons will depend on collation you selected when creating your SQL Server Database. I don't know if the EF has any workarounds but you can possibly get around this using a stored procedure to invoke something along the lines of this:
How do I perform an accent insensitive compare (e with è, é, ê and ë) in SQL Server?
Related
I am a pentester en found a HQL injection point. I can extract the password hashes of the users, but I have to do that with more or less a blind select statement where I put an extra parameter in the where:
select count(userName) from DB where userName='admin' AND Password like 'INJECT%' AND '1'='1
The INJECT I just loop through all possibilities and get a yes or no response if he can find password that starts with something. The bold part is the input that I have full control over.
Now my problem is that this like query is case insensitive, while a hash is case sensitive.
SO is there anyway that I can make sure the like query is executed case sensitive from only this injection point? (so I cannot do actuall HQL or SQL queries besides from this).
Whether the query is case sensitive is not an inherent characteristic of the LIKE operator or = or other string functions.
It has to do with the collation of the strings being compared. That is, if either string in your comparison is a string value with a case-sensitive collation, then the comparison will be case-sensitive.
If you can inject arbitrary SQL expressions, then you can inject an expression that converts the string to a case-sensitive collation.
Example: SQL Case Sensitive String Compare
There might be some variation in the syntax based on the brand of SQL database you use. You did not say which database you're using (unless you're one of those Microsoft users who say "SQL" when you mean "Microsoft SQL Server").
During prototyping I have imported a bunch of Facebook posts into a table in batches. After the first batch I did a bulk update to convert the "created_date" column from string to a native timestamp (using the handy r.ISO8601 function):
r.db('db').table('table').update({'created_date': r.ISO8601(r.row('created_date'))
On the second pass, when I try to repeat this update, the server throws an error because not all row fields are of type STRING (ie the ones previously converted), which is what ISO861 expects.
I've already tried to filter on r.row('created_date').typeOf() == "STRING" but got no matches. I can't find any other way to refer to the STRING type as an object rather than a literal string either.
I know that I could import these out and do the if/else logic in code, but I'm interested to understand if there's a native query that will filter out rows that match a certain type.
You have to use eq for comparing like this:
r.row('created_date').typeOf().eq("STRING")
Using == only works on some language support operator overrding.
I'm using the Contains function to search for strings in BLOB fields containing PDFs or Word documents. Recently I did the following search:
SELECT doc_id
FROM table_of_documents
WHERE CONTAINS (BLOB_FIELD, 'SDS.IF.00005') > 0
Most of the records returned were correct, but a few had PDFs in them that did not have "SDS.IF.00005" in them but did have "SDS.EL.00005" in them.
When I say the PDFs did not have the search term, I mean I opened them in Adobe reader and searched them using the search function and my own eyeballs, and also people extremely familiar with the documents insist that the term is not there and should not be there.
I tried treating the dots as escape characters: SDS\\.IF\\.00005 and {SDS.IF.00005}. However, I am still getting the same results.
I also tried setting CONTAINS (BLOB_FIELD, 'SDS.IF.00005') = 100, but I'm still getting documents with SDS.EL.00005 in them and not SDS.IF.00005.
Do the dots in the search term mean something like SDS.%.00005 to Oracle? Or should I be researching how to find deep hidden text in Adobe documents that's not visible to the naked eye or to the Adobe text search function?
Thanks for your help.
As far as I know, CONTAINS is a Oracle Text function that performs full text search, so Oracle is tokenizing your string, probably according to its BASIC_LEXER. This lexer uses . as a word separator. So Oracle understands your query as "return anything that matches at least one of the words 'SDS', 'IF' or '00005'". As your PDF will probably have been indexed using that same lexer, from Oracle Text point of view your PDF contains the words 'SDS', 'EL' and '00005', so it matches 2 of 3 words and so Oracle returns that row.
Actually, 'IF' is included in Oracle Text default stopword list (words that are ignored because they are so common that they mostly introduce "noise"); so your query actually is "return anything that matches at least one of 'SDS' or '00005'". Therefore I am not surprised that a PDF that contains the literal text "SDS.EL.00005" will give you CONTAINS(BLOB_FIELD, 'SDS.IF.00005') = 100 (a "perfect" match) as you wrote.
If you want to search for a verbatim string, I think you should rather not use Oracle Text and just implement a solution using plain old DBMS_LOB.INSTR. If that is not viable, then you will have to find a way to make Oracle Text index those strings without tokenizing them.
Hi Experts
I have a special question About dynamic Linq to Sql.
Consider we want to search in a table according two fields*(LetterNo(string) and LetterDate(Datetime))*
.OK the problem is user can enter on of that fields or even both.
I searched in the internet and found "Linq.Dynamic" library in ScottGu weblog.but in that library if we want to use SqlParameter in exported command we should use #0 and param for that.problem is I don't know how many fields user entered.
I want use one query for that and no external tool like "Linq Kit PredicateBuilder".
If I create my query string Manually(and execute using ExecuteCommand) then I will abdicate SqlParameter and risk of Sql Injenction growing up.
How Can do that?
thanks
I suspect you are wanting to do something like the following:
IQueryable<Letter> query = context.Letters;
if (!string.IsNullOrEmpty(LetterNo))
query = query.Where(letter => letter.LetterNo == LetterNo);
If (LetterDate.HasValue)
query = query.Where(letter => letter.LetterDate == LetterDate);
When you execute query, it will combine the necessary expressions and issue a single query to the database based on the user's input.
Consider following LINQ-to-NHibernate queries:
var q1 = from se in query.ToList<SomeEntity>()
where
prop1 == "abc"
select se;
var q2 = from se in q1
where
m1(se.prop2) == "def"
select se;
q2 will not work with error: "The method m1 is not implemented". But when replace q2 with following query, everything goes ok:
var q2 = from se in q1.ToList<SomeEntity>()
where
m1(se.prop2) == "def"
select se;
Why this happens? How can I get first query to work too? Is this something that happens for LINQ-to-NHibernate only or happens in all LINQ queries?
Because there is no way for the LINQ provider to translate the method m1 to a compatible SQL statement.
By calling ToList<SomeEntity>(), you are reading the entire thing into memory and then using LINQ to Objects to filter (and since the query doesn't get translated to SQL in that case, there is no problem running the query).
Unfortunately there is no easy way for you to get the first query to work. If you really need to use m1 to filter results, you'll have to read things into memory first.
This is not just a LINQ to nHibernate limitation either. This will happen in any situation where a LINQ provider uses Expression Trees to convert your code into another language (in this case it is trying to convert your C# code into SQL statements which is the same thing that LINQ to SQL and Entity Framework do).
Presumably the method m1 does not have a translation to SQL (at least, the NHibernate LINQ provider can't figure out how to). When you don't have the ToList, NHibernate is trying to figure out how to convert m1 to SQL. When you do the ToList, NHibernate isn't playing a role anymore and its LINQ-to-Objects that can handle the query. This is specific to ORMs that enable LINQ; LINQ-to-SQL and EF will suffer similar fates.
I would say that your original q2 query is being translated into an expression tree and then when NHibernate tries to parse it, it finds that the method is not a part of its implementation. Converting the query to a collection first with ToList() uses the LINQ functionality of the List which can support the m1 method.
I don't know NHibernate, but would this work ?
var q2 = q1.where (x => m1(x.prop2) == "def");