使用命令参数来避免SQL注入

时间:2016-08-03 21:54:38

标签: c# asp.net asp.net-mvc asp.net-web-api

我们创建了用于查询Oracle数据库的WebAPI。 API接收ID的字符串数组作为输入参数。下面是我们正在使用的API控制器,但建议使用命令参数来避免SQLite注入。以下是我们正在使用的代码

public HttpResponseMessage Getdetails([FromUri] string[] id)
{
string connStr = ConfigurationManager.ConnectionStrings["ProDataConnection"].ConnectionString;
using (OracleConnection dbconn = new OracleConnection(connStr))
{
     var inconditions = id.Distinct().ToArray();
     var srtcon = string.Join(",", inconditions);
     DataSet userDataset = new DataSet();
     var strQuery = @"SELECT * from STCD_PRIO_CATEGORY where STPR_STUDY.STD_REF IN(" + srtcon + ")";
     using (OracleCommand selectCommand = new OracleCommand(strQuery, dbconn))
     {
          using (OracleDataAdapter adapter = new OracleDataAdapter(selectCommand))
         {
             DataTable selectResults = new DataTable();
             adapter.Fill(selectResults);
             var returnObject = new { data = selectResults };
             var response = Request.CreateResponse(HttpStatusCode.OK, returnObject, MediaTypeHeaderValue.Parse("application/json"));
             ContentDispositionHeaderValue contentDisposition = null;

             if (ContentDispositionHeaderValue.TryParse("inline; filename=ProvantisStudyData.json", out contentDisposition))
            {
                 response.Content.Headers.ContentDisposition = contentDisposition;
            }

            return response;
        }
    }
}
}

我尝试使用Google搜索并发现

  var strQuery = @"SELECT * from STCD_PRIO_CATEGORY where STPR_STUDY.STD_REF IN(@strcon)";
  using (OracleCommand selectCommand = new OracleCommand(strQuery, dbconn))
   {
    using (OracleDataAdapter adapter = new OracleDataAdapter(selectCommand))
         {        
 adapter.SelectCommand.Parameters.Add("@strcon",strcon);

我是否会直接给出strcon变量,我加入了字符串数组。我是新的C#和Asp.Net,非常感谢任何帮助。 感谢

1 个答案:

答案 0 :(得分:1)

正如我在评论中所解释的那样,您无法为IN子句创建唯一参数,并且所需的所有值都以逗号分隔。这将创建单个字符串值,而不是要在STD_REF字段中搜索的ID列表。相反,您需要一个更长的方法为每个值创建一个不同的参数并正确地准备IN子句

 List<OracleParameter> prms = new List<OracleParameter>();
 var strQuery = @"SELECT * from STCD_PRIO_CATEGORY 
                  where STPR_STUDY.STD_REF IN(";

 // Create a list of parameters and prepare the placeholders for the IN     
 StringBuilder sb = new StringBuilder(strQuery);
 for(int x = 0; x < inconditions.Length; x++)
 {
    // Placeholder
    sb.Append(":p" + x + ",");

    // Parameter
    OracleParameter p = new OracleParameter(":p" + x, OracleType.Int32);
    p.Value = inconditions[x];
    prms.Add(p);
 }

 // Remove the last comma
 if(sb.Length > 0) sb.Length--;
 // Prepare the correct IN clause
 strQuery = sb.ToString() + ")";

 using (OracleCommand selectCommand = new OracleCommand(strQuery, dbconn))
 {
     // Add the whole set of parameters
     selectCommand.Parameters.AddRange(prms.ToArray());
     using (OracleDataAdapter adapter = new OracleDataAdapter(selectCommand))
     {        
         DataTable selectResults = new DataTable();
         adapter.Fill(selectResults);
         .....
相关问题
最新问题