更改为参数化 Oracle 查询
Changing to a Parameterized Oracle query
我使用以下代码连接到 Oracle 数据库并返回 JSON 结果。但是下面的代码似乎有 sql 注入之类的问题,如何将它们作为当前代码更改为参数化。我只是 OracleCommand
public class SampleController : ApiController
{
public string Getdetails( int id)
{
using (var dbConn = new OracleConnection("DATA SOURCE=h;PASSWORD=C;PERSIST SECURITY INFO=True;USER ID=T"))
{
var inconditions = id.Distinct().ToArray();
var srtcon = string.Join(",",inconditions);
dbConn.Open();
var strQuery = @"SELECT PRIO_CATEGORY_ID AS PRIO, LANG_ID AS LANG, REC_DATE AS REC, REC_USER AS RECUSER, DESCR, COL_DESCR AS COL, ROW_DESCR AS DROW, ABBR FROM STCD_PRIO_CATEGORY_DESCR WHERE REC_USER IN ("+srtcon+")";
var queryResult = dbConn.Query<SamModel>(strQuery);
return JsonConvert.SerializeObject(queryResult);
}
}
你应该试试这个想法,在命令中设置参数:
使用System.Data;
使用 System.Data.SqlClient;
using (SqlConnection connection = new SqlConnection(connectionString))
{
DataSet userDataset = new DataSet();
SqlDataAdapter myDataAdapter = new SqlDataAdapter(
"SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id",
connection);
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;
myDataAdapter.Fill(userDataset);
}
我使用以下代码连接到 Oracle 数据库并返回 JSON 结果。但是下面的代码似乎有 sql 注入之类的问题,如何将它们作为当前代码更改为参数化。我只是 OracleCommand
public class SampleController : ApiController
{
public string Getdetails( int id)
{
using (var dbConn = new OracleConnection("DATA SOURCE=h;PASSWORD=C;PERSIST SECURITY INFO=True;USER ID=T"))
{
var inconditions = id.Distinct().ToArray();
var srtcon = string.Join(",",inconditions);
dbConn.Open();
var strQuery = @"SELECT PRIO_CATEGORY_ID AS PRIO, LANG_ID AS LANG, REC_DATE AS REC, REC_USER AS RECUSER, DESCR, COL_DESCR AS COL, ROW_DESCR AS DROW, ABBR FROM STCD_PRIO_CATEGORY_DESCR WHERE REC_USER IN ("+srtcon+")";
var queryResult = dbConn.Query<SamModel>(strQuery);
return JsonConvert.SerializeObject(queryResult);
}
}
你应该试试这个想法,在命令中设置参数:
使用System.Data; 使用 System.Data.SqlClient;
using (SqlConnection connection = new SqlConnection(connectionString))
{
DataSet userDataset = new DataSet();
SqlDataAdapter myDataAdapter = new SqlDataAdapter(
"SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id",
connection);
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;
myDataAdapter.Fill(userDataset);
}