更改为参数化 Oracle 查询

Changing to a Parameterized Oracle query

我使用以下代码连接到 Oracle 数据库并返回 JSON 结果。但是下面的代码似乎有 sql 注入之类的问题,如何将它们作为当前代码更改为参数化。我只是 OracleCommand

 public class SampleController : ApiController
  {
     public string Getdetails( int id) 
     {
       using (var dbConn = new OracleConnection("DATA SOURCE=h;PASSWORD=C;PERSIST SECURITY INFO=True;USER ID=T"))
       {

            var inconditions = id.Distinct().ToArray();
            var srtcon = string.Join(",",inconditions);
            dbConn.Open();
            var strQuery = @"SELECT PRIO_CATEGORY_ID AS PRIO, LANG_ID AS LANG, REC_DATE AS REC, REC_USER AS RECUSER, DESCR, COL_DESCR AS COL, ROW_DESCR AS DROW, ABBR FROM STCD_PRIO_CATEGORY_DESCR WHERE REC_USER  IN ("+srtcon+")";
            var queryResult = dbConn.Query<SamModel>(strQuery);
            return JsonConvert.SerializeObject(queryResult); 
    }
 }

你应该试试这个想法,在命令中设置参数:

使用System.Data; 使用 System.Data.SqlClient;

using (SqlConnection connection = new SqlConnection(connectionString))
{
    DataSet userDataset = new DataSet();
    SqlDataAdapter myDataAdapter = new SqlDataAdapter(
        "SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id", 
        connection);                
    myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
    myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;
    myDataAdapter.Fill(userDataset);
}