更改为参数化Oracle查询

时间:2016-07-22 19:53:53

标签: c# asp.net asp.net-mvc asp.net-web-api parameterized-query

我使用以下代码连接到Oracle数据库并返回JSON结果。但是下面的代码似乎有像sql注入这样的问题,我怎样才能将它们当前代码更改为参数化。我只是做OracleCommand

吗? 
 public class SampleController : ApiController
  {
     public string Getdetails( int id) 
     {
       using (var dbConn = new OracleConnection("DATA SOURCE=h;PASSWORD=C;PERSIST SECURITY INFO=True;USER ID=T"))
       {

            var inconditions = id.Distinct().ToArray();
            var srtcon = string.Join(",",inconditions);
            dbConn.Open();
            var strQuery = @"SELECT PRIO_CATEGORY_ID AS PRIO, LANG_ID AS LANG, REC_DATE AS REC, REC_USER AS RECUSER, DESCR, COL_DESCR AS COL, ROW_DESCR AS DROW, ABBR FROM STCD_PRIO_CATEGORY_DESCR WHERE REC_USER  IN ("+srtcon+")";
            var queryResult = dbConn.Query<SamModel>(strQuery);
            return JsonConvert.SerializeObject(queryResult); 
    }
 }

1 个答案:

答案 0 :(得分:1)

您应该尝试这个想法,在命令中设置参数:

使用System.Data; 使用System.Data.SqlClient; 

{{1}}
相关问题
最新问题