我們創建了用於查詢Oracle數據庫的WebAPI。 API接收ID的字符串數組作爲輸入參數。下面是我們正在使用的API控制器,但建議使用命令參數來避免SQLite注入。下面是我們使用使用命令參數避免SQL注入
public HttpResponseMessage Getdetails([FromUri] string[] id)
{
string connStr = ConfigurationManager.ConnectionStrings["ProDataConnection"].ConnectionString;
using (OracleConnection dbconn = new OracleConnection(connStr))
{
var inconditions = id.Distinct().ToArray();
var srtcon = string.Join(",", inconditions);
DataSet userDataset = new DataSet();
var strQuery = @"SELECT * from STCD_PRIO_CATEGORY where STPR_STUDY.STD_REF IN(" + srtcon + ")";
using (OracleCommand selectCommand = new OracleCommand(strQuery, dbconn))
{
using (OracleDataAdapter adapter = new OracleDataAdapter(selectCommand))
{
DataTable selectResults = new DataTable();
adapter.Fill(selectResults);
var returnObject = new { data = selectResults };
var response = Request.CreateResponse(HttpStatusCode.OK, returnObject, MediaTypeHeaderValue.Parse("application/json"));
ContentDispositionHeaderValue contentDisposition = null;
if (ContentDispositionHeaderValue.TryParse("inline; filename=ProvantisStudyData.json", out contentDisposition))
{
response.Content.Headers.ContentDisposition = contentDisposition;
}
return response;
}
}
}
}
我試着用搜索引擎就這個問題和發現
var strQuery = @"SELECT * from STCD_PRIO_CATEGORY where STPR_STUDY.STD_REF IN(@strcon)";
using (OracleCommand selectCommand = new OracleCommand(strQuery, dbconn))
{
using (OracleDataAdapter adapter = new OracleDataAdapter(selectCommand))
{
adapter.SelectCommand.Parameters.Add("@strcon",strcon);
,我會被直接給予STRCON變量,其中我參加字符串數組的代碼。我是新的C#和Asp.Net,非常感謝任何幫助。 謝謝
沒有您使用IN參數的示例是錯誤的。這將創建一個獨特的值的字符串,不能在單個參數中解析 – Steve
此鏈接顯示幾個選項:[http://stackoverflow.com/questions/541466/oracleparameter-and-in-clause](http://stackoverflowflow .com/questions/541466/oracleparameter-and-in-clause) –