Prevent SQL injection in oracle

问题

firstly i tried using following code

strQuery = @"SELECT PASSWORD FROM IBK_USERS where upper(user_id) =upper('" + UserPrefix + "')";

try
{
    ocommand = new OracleCommand();
    if (db.GetConnection().State == ConnectionState.Open)
    {
        ocommand.CommandText = strQuery;
        ocommand.Connection = db.GetConnection();                       
        odatareader = ocommand.ExecuteReader();
        odatareader.Read();

and finally i converted above query to prevent sql injection like that

strQuery = @"SELECT PASSWORD FROM IBK_USERS where upper(user_id) =upper(:UserPrefix)";
try
{
    ocommand = new OracleCommand();
    if (db.GetConnection().State == ConnectionState.Open)
    {
        ocommand.CommandText = strQuery;
        ocommand.Connection = db.GetConnection();

        ocommand.Parameters.Add(":UserPrefix",OracleDbType.Varchar2,ParameterDirection.Input);
        ocommand.Parameters[":UserPrefix"].Value = UserPrefix;
        odatareader = ocommand.ExecuteReader();

but this is not working

回答1:

Remove the colon in front of the parameter name. So instead of...

ocommand.Parameters.Add(":UserPrefix", ...);

...do this...

ocommand.Parameters.Add("UserPrefix", ...);

Ditto for setting parameter value.

Not directly related to your question: using upper(user_id) in the WHERE clause may require a function-based index to run efficiently. Also, does the user_id really need to be a string - can't you just make it integer?

来源：https://stackoverflow.com/questions/24013561/prevent-sql-injection-in-oracle

标签

sql

Oracle

ado.net

易学教程内所有资源均来自网络或用户发布的内容，如有违反法律规定的内容欢迎反馈！
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!