How to make Nhibernate Case sensitive query using QueryOver?

Asked 21/5, 2014 at 12:37 Answered 23/5, 2014 at 9:7

I have a simple database with users table, it have simple admin user with

UserName= "Admin"
Password="admin"

I am using NHibernate to query over this table to login form. Suppose the login form inserted UserName="ADMIN" and password="ADMIN" both in upper case.

The system should not allow login. However when I use the query like this

using (var session = NhibernateHelper.OpenSession())
{
  return new List<User>
         (session.QueryOver<User>()
                 .Where(u => u.UserName == userName)
                 .And(u => u.Password == password)
                 .Future());
}}

The system ignores the case sensitivity and selects the user. So how can I make case sensitive query?

Plight answered 21/5, 2014 at 12:37 Comment(1)

See also https://mcmap.net/q/1713895/-cannot-compare-strings-during-nhibernate-queryover-lt-t-gt (which is doing the opposite - forcing an insensitive comparison) – Juta 14/7, 2015 at 11:1

We can specify COLLATE directly as a part of SQL column evaluation

session
    .QueryOver<User>()
    // expecting that user name could be any case 
    // if not, we can use the same as for password below
    .Where(u => u.UserName == userName)
    // instead of this
    //.And(u => u.Password == password)
    .And(Expression.Sql(" Password = ? COLLATE Latin1_General_CS_AS"
       , password, NHibernateUtil.String));
    .Future()
    ;

The above statement will use Latin1_General_CS_AS where CS means: Case sensitive and AS means Accent sensitive

Also, there is some draft of a custom LikeExpression, which could consume the COLLATE string as a const or from setting:

Nhibernate QueryOver collation without hard coded column name

Underfoot answered 21/5, 2014 at 13:14 Comment(6)

isn't there any extension method to do this ? – Plight 21/5, 2014 at 13:42

Well, in this case, as far as I know - no. But it is easy to introduce new, custom one ;) I'd say. – Brogan 21/5, 2014 at 13:44

I am new to Nhibernate, can you please suggest reference on how to create custom one ? Thanks – Plight 21/5, 2014 at 13:47

Extension methods are not about NHibernate!!! ;) these are C# world! stackoverflow.com/questions/13840413 this link contains a draft how to do nice extension ;) – Brogan 21/5, 2014 at 13:52

So, does my answer helped you? did you manage to get case sensitive (CA) comparison? – Brogan 23/5, 2014 at 4:36

.And(Expression.Sql(" Password = ? COLLATE Latin1_General_CS_AS" , password, NHibernateUtil.String)); is not supported by Mysql. – Leveroni 8/8, 2016 at 7:24

-1

Another approach, not with QueryOver, but LINQ:

session.Query<User>().Where(u => SqlMethods.Like(u.Username, "something")).ToList();

Maggs answered 23/5, 2014 at 9:5 Comment(2)

Like has very different comparison semantics to equals, and this brings a whole set of security concerns into play – Juta 14/7, 2015 at 10:32

Depending on how the database is set up, this may not yield a case sensitive comparison. – Batholith 11/3, 2016 at 15:40

-1

Or, with Criteria:

session.CreateCriteria(typeof(User), "u").Add(Restrictions.Like(Projections.Property("u.Username"), "something")).List<Username>();

Maggs answered 23/5, 2014 at 9:6 Comment(5)

Like has very different comparison semantics to equals, and this brings a whole set of security concerns into play – Juta 14/7, 2015 at 10:31

If my username I submit is e.g. Ad%, then I'll know if you have a (single) user called Admin or Administrator. This general approach can enable nay amount of user enumeration – Juta 14/7, 2015 at 10:56

Does that explain it sufficiently? – Juta 15/7, 2015 at 7:56

It was irony. Your answer is nothing but common sense, and only partial (no mention of indexes, for example). – Maggs 15/7, 2015 at 10:40

Security issues are not ironic. For me indexing is very far behind that in terms of relevance. While you might be familiar with the tradeoffs and realise the validity of the concern, responding in this manner (be it ironic, passive agressive or genuine inquiry) does not help people coming across these answers and taking them at face value. Caveat emptor indeed :) – Juta 15/7, 2015 at 13:9

-1

Finally, QueryOver:

session.QueryOver<User>().Where(Expression.Sql("Username LIKE ?", "something", NHibernateUtil.String)).List<User>()

Maggs answered 23/5, 2014 at 9:7 Comment(1)

Like has very different comparison semantics to equals, and this brings a whole set of security concerns into play – Juta 14/7, 2015 at 10:31

Recommended topics

Hot tags