使用命令参数的Web API未返回任何数据
用于查询oracle数据库的Web API,该数据库接收字符串数组作为输入参数。我试图使用命令参数来避免SqL注入,但下面的代码不会抛出任何错误,但不会给出结果。
public class PDataController : ApiController
{
public HttpResponseMessage Getdetails([FromUri] string[] id)
{
List<OracleParameter> prms = new List<OracleParameter>();
string connStr = ConfigurationManager.ConnectionStrings["PDataConn"].ConnectionString;
using (OracleConnection dbconn = new OracleConnection(connStr))
{
var inconditions = id.Distinct().ToArray();
var srtcon = string.Join(",", inconditions);
DataSet userDataset = new Dataset();
var strQuer = @"SELECT STCD_PRIO_CATEGORY_DESCR.DESCR AS CATEGORY,
STCD_PRIO_CATEGORY_DESCR.SESSION_NUM AS SESSION_NUMBER,
Trunc(STCD_PRIO_CATEGORY_DESCR.START_DATE) AS SESSION_START_DATE,
STCD_PRIO_CATEGORY_DESCR.START_DATE AS SESSION_START_TIME
FROM STCD_PRIO_CATEGORY_DESCR
WHERE STCD_PRIO_CATEGORY_DESCR.STD_REF(";
StringBuilder sb = new StringBuilder(strQuery);
for(int x = 0; x < inconditions.Length; x++)
{
sb.Append(":p" + x + ",");
OracleParameter p = new OracleParameter(":p" + x,OracleDbType.NVarchar2 );
p.Value = inconditions[x];
prms.Add(p);
}
if(sb.Length > 0) sb.Length--;
strQuery = strQuery + sb.ToString() + ")";
using (OracleCommand selectCommand = new OracleCommand(strQuery, dbconn))
{
selectCommand.Parameters.AddRange(prms.ToArray());
using (OracleDataAdapter adapter = new OracleDataAdapter(selectCommand))
{
DataTable selectResults = new DataTable();
adapter.Fill(selectResults);
var returnObject = new { data = selectResults };
var response = Request.CreateResponse(HttpStatusCode.OK, returnObject, MediaTypeHeaderValue.Parse("application/json"));
ContentDispositionHeaderValue contentDisposition = null;
if (ContentDispositionHeaderValue.TryParse("inline; filename=ProvantisStudyData.json", out contentDisposition))
{
response.Content.Headers.ContentDisposition = contentDisposition;
}
return response;
}
}
}
}
}
以下是我在selectCommand
的commandText中调试时得到的内容"SELECT \r\n STCD_PRIO_CATEGORY_DESCR.DESCR AS CATEGORY, \r\n
STCD_PRIO_CATEGORY_DESCR.SESSION_NUM AS SESSION_NUMBER, \r\n
Trunc(STCD_PRIO_CATEGORY_DESCR.START_DATE) AS SESSION_START_DATE, \r\n
STCD_PRIO_CATEGORY_DESCR.START_DATE AS SESSION_START_TIME \r\n
FROM \r\n
STCD_PRIO_CATEGORY_DESCR \r\n
WHERE \r\n
STCD_PRIO_CATEGORY_DESCR.STD_REF IN(SELECT \r\n
STCD_PRIO_CATEGORY_DESCR.DESCR AS CATEGORY, \r\n
STCD_PRIO_CATEGORY_DESCR.SESSION_NUM AS SESSION_NUMBER, \r\n
Trunc(STCD_PRIO_CATEGORY_DESCR.START_DATE) AS SESSION_START_DATE, \r\n
STCD_PRIO_CATEGORY_DESCR.START_DATE AS SESSION_START_TIME \r\n
FROM \r\n
STCD_PRIO_CATEGORY_DESCR \r\n
WHERE \r\n
STCD_PRIO_CATEGORY_DESCR.STD_REF IN(:p0)"
因为我现在正在给予
strQuery = strQuery+ sb.ToString() + ")";
正在重复选择。但是,如果我只是给予
strQuery = sb.ToString() + ")";
而调试时的strQuery是
SELECT \r\n STCD_PRIO_CATEGORY_DESCR.DESCR AS CATEGORY, \r\n
STCD_PRIO_CATEGORY_DESCR.SESSION_NUM AS SESSION_NUMBER, \r\n
Trunc(STCD_PRIO_CATEGORY_DESCR.START_DATE) AS SESSION_START_DATE, \r\n
STCD_PRIO_CATEGORY_DESCR.START_DATE AS SESSION_START_TIME \r\n
FROM \r\n
STCD_PRIO_CATEGORY_DESCR \r\n
WHERE \r\n
STCD_PRIO_CATEGORY_DESCR.STD_REF IN(:p0)
我得到的回报是
{"data":[]}
我应该将p0括在''中,因为我们收到的输入是字符串数组。
但是当我在SQL开发人员中尝试获取记录时,使用相同的ID。非常感谢任何帮助。
1 个答案:
答案 0 :(得分:1)
从与OP的聊天结果发现,OP在数组参数ID周围添加了单引号。从以这种方式格式化的查询字符串接收的值
http:// localhost:80/api/PData?id='JW217T_01'
这是尝试传递一个字符串作为参数值。
但是,如果您使用参数并指定其数据类型(NVarChar2),那么数据库引擎就足够了解该值以自行执行正确的引用,因此参数的值不应该包含单引号。
将查询字符串的格式更改为
http:// localhost:80/api/PData?id=JW217T_01
解决了问题
相关问题
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?