user4912134 user4912134 - 4 months ago 13
ASP.NET (C#) Question

Web API using command parameters is not returning any data

The web API to query the oracle database which receives the array of strings as an input parameter. I am trying to use the command parameters to avoid the SqL injection, but the below code does not throw any error but does not give the result.

public class PDataController : ApiController
{
public HttpResponseMessage Getdetails([FromUri] string[] id)
{

List<OracleParameter> prms = new List<OracleParameter>();
string connStr = ConfigurationManager.ConnectionStrings["PDataConn"].ConnectionString;
using (OracleConnection dbconn = new OracleConnection(connStr))
{
var inconditions = id.Distinct().ToArray();
var srtcon = string.Join(",", inconditions);
DataSet userDataset = new Dataset();
var strQuer = @"SELECT STCD_PRIO_CATEGORY_DESCR.DESCR AS CATEGORY,
STCD_PRIO_CATEGORY_DESCR.SESSION_NUM AS SESSION_NUMBER,
Trunc(STCD_PRIO_CATEGORY_DESCR.START_DATE) AS SESSION_START_DATE,
STCD_PRIO_CATEGORY_DESCR.START_DATE AS SESSION_START_TIME
FROM STCD_PRIO_CATEGORY_DESCR
WHERE STCD_PRIO_CATEGORY_DESCR.STD_REF(";
StringBuilder sb = new StringBuilder(strQuery);
for(int x = 0; x < inconditions.Length; x++)
{
sb.Append(":p" + x + ",");
OracleParameter p = new OracleParameter(":p" + x,OracleDbType.NVarchar2 );
p.Value = inconditions[x];
prms.Add(p);
}
if(sb.Length > 0) sb.Length--;
strQuery = strQuery + sb.ToString() + ")";
using (OracleCommand selectCommand = new OracleCommand(strQuery, dbconn))
{
selectCommand.Parameters.AddRange(prms.ToArray());
using (OracleDataAdapter adapter = new OracleDataAdapter(selectCommand))
{
DataTable selectResults = new DataTable();
adapter.Fill(selectResults);
var returnObject = new { data = selectResults };
var response = Request.CreateResponse(HttpStatusCode.OK, returnObject, MediaTypeHeaderValue.Parse("application/json"));
ContentDispositionHeaderValue contentDisposition = null;
if (ContentDispositionHeaderValue.TryParse("inline; filename=ProvantisStudyData.json", out contentDisposition))
{
response.Content.Headers.ContentDisposition = contentDisposition;
}
return response;
}
}

}
}
}


Below is what I am getting while debugging in commandText of selectCommand

"SELECT \r\n STCD_PRIO_CATEGORY_DESCR.DESCR AS CATEGORY, \r\n
STCD_PRIO_CATEGORY_DESCR.SESSION_NUM AS SESSION_NUMBER, \r\n
Trunc(STCD_PRIO_CATEGORY_DESCR.START_DATE) AS SESSION_START_DATE, \r\n
STCD_PRIO_CATEGORY_DESCR.START_DATE AS SESSION_START_TIME \r\n
FROM \r\n
STCD_PRIO_CATEGORY_DESCR \r\n
WHERE \r\n
STCD_PRIO_CATEGORY_DESCR.STD_REF IN(SELECT \r\n
STCD_PRIO_CATEGORY_DESCR.DESCR AS CATEGORY, \r\n
STCD_PRIO_CATEGORY_DESCR.SESSION_NUM AS SESSION_NUMBER, \r\n
Trunc(STCD_PRIO_CATEGORY_DESCR.START_DATE) AS SESSION_START_DATE, \r\n
STCD_PRIO_CATEGORY_DESCR.START_DATE AS SESSION_START_TIME \r\n
FROM \r\n
STCD_PRIO_CATEGORY_DESCR \r\n
WHERE \r\n
STCD_PRIO_CATEGORY_DESCR.STD_REF IN(:p0)"


Since I am giving currently

strQuery = strQuery+ sb.ToString() + ")";


The select is being repeated. But if I just give

strQuery = sb.ToString() + ")";


Whereas the strQuery while debugging is

SELECT \r\n STCD_PRIO_CATEGORY_DESCR.DESCR AS CATEGORY, \r\n
STCD_PRIO_CATEGORY_DESCR.SESSION_NUM AS SESSION_NUMBER, \r\n
Trunc(STCD_PRIO_CATEGORY_DESCR.START_DATE) AS SESSION_START_DATE, \r\n
STCD_PRIO_CATEGORY_DESCR.START_DATE AS SESSION_START_TIME \r\n
FROM \r\n
STCD_PRIO_CATEGORY_DESCR \r\n
WHERE \r\n
STCD_PRIO_CATEGORY_DESCR.STD_REF IN(:p0)


enter image description here

What I get in return is

{"data":[]}


Should I enclose p0 in '' because the input we receive is array of Strings.

But the same ID when i try in the SQL developer I am getting the records. any help is greatly appreciated.

Answer

From the chat with the OP it turned out that the OP added single quotes around the array parameter ID. The values where received from a query string formatted in this way

http:// localhost:80/api/PData?id='JW217T_01'

and this was an attempt to pass a string as the parameter value.

However if you use a parameter and specify its datatype (NVarChar2) then the database engine knows enough about the value to do the correct quoting by itself, so the values for the parameters should not have single quotes around them.

Changing the format of the querystring to

http:// localhost:80/api/PData?id=JW217T_01

fixed the problem

Comments