我们创建了用于查询Oracle数据库的WebAPI。 API接收ID的字符串数组作为输入参数。下面是我们正在使用的API控制器,但建议使用命令参数来避免SQLite注入。下面是我们使用使用命令参数避免SQL注入
public HttpResponseMessage Getdetails([FromUri] string[] id)
{
string connStr = ConfigurationManager.ConnectionStrings["ProDataConnection"].ConnectionString;
using (OracleConnection dbconn = new OracleConnection(connStr))
{
var inconditions = id.Distinct().ToArray();
var srtcon = string.Join(",", inconditions);
DataSet userDataset = new DataSet();
var strQuery = @"SELECT * from STCD_PRIO_CATEGORY where STPR_STUDY.STD_REF IN(" + srtcon + ")";
using (OracleCommand selectCommand = new OracleCommand(strQuery, dbconn))
{
using (OracleDataAdapter adapter = new OracleDataAdapter(selectCommand))
{
DataTable selectResults = new DataTable();
adapter.Fill(selectResults);
var returnObject = new { data = selectResults };
var response = Request.CreateResponse(HttpStatusCode.OK, returnObject, MediaTypeHeaderValue.Parse("application/json"));
ContentDispositionHeaderValue contentDisposition = null;
if (ContentDispositionHeaderValue.TryParse("inline; filename=ProvantisStudyData.json", out contentDisposition))
{
response.Content.Headers.ContentDisposition = contentDisposition;
}
return response;
}
}
}
}
我试着用搜索引擎就这个问题和发现
var strQuery = @"SELECT * from STCD_PRIO_CATEGORY where STPR_STUDY.STD_REF IN(@strcon)";
using (OracleCommand selectCommand = new OracleCommand(strQuery, dbconn))
{
using (OracleDataAdapter adapter = new OracleDataAdapter(selectCommand))
{
adapter.SelectCommand.Parameters.Add("@strcon",strcon);
,我会被直接给予STRCON变量,其中我参加字符串数组的代码。我是新的C#和Asp.Net,非常感谢任何帮助。 谢谢
没有您使用IN参数的示例是错误的。这将创建一个独特的值的字符串,不能在单个参数中解析 – Steve
此链接显示几个选项:[http://stackoverflow.com/questions/541466/oracleparameter-and-in-clause](http://stackoverflowflow .com/questions/541466/oracleparameter-and-in-clause) –