Handle SQL injection vulnerabilities within ObjectToSQLString (#3547)

Co-authored-by: Alex Zaytsev <hazzik@gmail.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
nhibernate · Jul 2, 2024 · b4a69d1 · b4a69d1
1 parent 93b0d0e
commit b4a69d1
Show file tree

Hide file tree

Showing 54 changed files with 1,105 additions and 78 deletions.
diff --git a/doc/reference/modules/configuration.xml b/doc/reference/modules/configuration.xml
@@ -871,6 +871,20 @@ var session = sessions.OpenSession(conn);
                             </para>
                         </entry>
                     </row>
+                    <row>
+                        <entry>
+                            <literal>escape_backslash_in_strings</literal>
+                        </entry>
+                        <entry>
+                            Indicates if the database needs to have backslash escaped in string literals.
+                            The default value is dialect dependant. That is <literal>false</literal> for
+                            most dialects.
+                            <para>
+                                <emphasis role="strong">eg.</emphasis> 
+                                <literal>true</literal> | <literal>false</literal>
+                            </para>
+                        </entry>
+                    </row>
                     <row>
                         <entry>
                             <literal>show_sql</literal>
@@ -1515,12 +1529,6 @@ in the parameter binding.</programlisting>
                             <entry><literal>NHibernate.Dialect.PostgreSQLDialect</literal></entry>
                             <entry></entry>
                         </row>
-                        <row>
-                            <entry>PostgreSQL</entry>
-                            <entry><literal>NHibernate.Dialect.PostgreSQLDialect</literal></entry>
-                            <entry>
-                            </entry>
-                        </row>
                         <row>
                             <entry>PostgreSQL 8.1</entry>
                             <entry><literal>NHibernate.Dialect.PostgreSQL81Dialect</literal></entry>

diff --git a/src/NHibernate.Config.Templates/SapSQLAnywhere.cfg.xml b/src/NHibernate.Config.Templates/SapSQLAnywhere.cfg.xml
@@ -15,7 +15,7 @@ for your own use before compiling tests in Visual Studio.
 		<property name="connection.connection_string">
 			UID=DBA;PWD=sql;Server=localhost;DBN=nhibernate;DBF=c:\nhibernate.db;ASTOP=No;Enlist=false;
 		</property>
-		<property name="dialect">NHibernate.Dialect.SybaseSQLAnywhere12Dialect</property>
+		<property name="dialect">NHibernate.Dialect.SapSQLAnywhere17Dialect</property>
 		<property name="query.substitutions">true=1;false=0</property>
 	</session-factory>
 </hibernate-configuration>