使用命令参数的Web API不返回任何数据
用于查询oracle数据库的Web API,它接收字符串数组作为输入参数。 我试图使用命令参数来避免SqL注入,但下面的代码不会抛出任何错误,但不会给出结果。
public class PDataController : ApiController { public HttpResponseMessage Getdetails([FromUri] string[] id) { List prms = new List(); string connStr = ConfigurationManager.ConnectionStrings["PDataConn"].ConnectionString; using (OracleConnection dbconn = new OracleConnection(connStr)) { var inconditions = id.Distinct().ToArray(); var srtcon = string.Join(",", inconditions); DataSet userDataset = new Dataset(); var strQuer = @"SELECT STCD_PRIO_CATEGORY_DESCR.DESCR AS CATEGORY, STCD_PRIO_CATEGORY_DESCR.SESSION_NUM AS SESSION_NUMBER, Trunc(STCD_PRIO_CATEGORY_DESCR.START_DATE) AS SESSION_START_DATE, STCD_PRIO_CATEGORY_DESCR.START_DATE AS SESSION_START_TIME FROM STCD_PRIO_CATEGORY_DESCR WHERE STCD_PRIO_CATEGORY_DESCR.STD_REF("; StringBuilder sb = new StringBuilder(strQuery); for(int x = 0; x 0) sb.Length--; strQuery = strQuery + sb.ToString() + ")"; using (OracleCommand selectCommand = new OracleCommand(strQuery, dbconn)) { selectCommand.Parameters.AddRange(prms.ToArray()); using (OracleDataAdapter adapter = new OracleDataAdapter(selectCommand)) { DataTable selectResults = new DataTable(); adapter.Fill(selectResults); var returnObject = new { data = selectResults }; var response = Request.CreateResponse(HttpStatusCode.OK, returnObject, MediaTypeHeaderValue.Parse("application/json")); ContentDispositionHeaderValue contentDisposition = null; if (ContentDispositionHeaderValue.TryParse("inline; filename=ProvantisStudyData.json", out contentDisposition)) { response.Content.Headers.ContentDisposition = contentDisposition; } return response; } } } } } 下面是我在selectCommand的commandText中调试时得到的内容
"SELECT \r\n STCD_PRIO_CATEGORY_DESCR.DESCR AS CATEGORY, \r\n STCD_PRIO_CATEGORY_DESCR.SESSION_NUM AS SESSION_NUMBER, \r\n Trunc(STCD_PRIO_CATEGORY_DESCR.START_DATE) AS SESSION_START_DATE, \r\n STCD_PRIO_CATEGORY_DESCR.START_DATE AS SESSION_START_TIME \r\n FROM \r\n STCD_PRIO_CATEGORY_DESCR \r\n WHERE \r\n STCD_PRIO_CATEGORY_DESCR.STD_REF IN(SELECT \r\n STCD_PRIO_CATEGORY_DESCR.DESCR AS CATEGORY, \r\n STCD_PRIO_CATEGORY_DESCR.SESSION_NUM AS SESSION_NUMBER, \r\n Trunc(STCD_PRIO_CATEGORY_DESCR.START_DATE) AS SESSION_START_DATE, \r\n STCD_PRIO_CATEGORY_DESCR.START_DATE AS SESSION_START_TIME \r\n FROM \r\n STCD_PRIO_CATEGORY_DESCR \r\n WHERE \r\n STCD_PRIO_CATEGORY_DESCR.STD_REF IN(:p0)"
因为我现在给
strQuery = strQuery+ sb.ToString() + ")";
选择正在重复。 但是,如果我只是给
strQuery = sb.ToString() + ")";
而调试时的strQuery是
SELECT \r\n STCD_PRIO_CATEGORY_DESCR.DESCR AS CATEGORY, \r\n STCD_PRIO_CATEGORY_DESCR.SESSION_NUM AS SESSION_NUMBER, \r\n Trunc(STCD_PRIO_CATEGORY_DESCR.START_DATE) AS SESSION_START_DATE, \r\n STCD_PRIO_CATEGORY_DESCR.START_DATE AS SESSION_START_TIME \r\n FROM \r\n STCD_PRIO_CATEGORY_DESCR \r\n WHERE \r\n STCD_PRIO_CATEGORY_DESCR.STD_REF IN(:p0)
我得到的回报是
{"data":[]}
我应该将p0括在”中,因为我们收到的输入是字符串数组。
但是当我在SQL开发人员中尝试获取记录时,相同的ID。 任何帮助是极大的赞赏。
从与OP的聊天结果发现,OP在数组参数ID周围添加了单引号。 从以这种方式格式化的查询字符串接收的值
http:// localhost:80/api/PData?id='JW217T_01'
这是尝试传递一个字符串作为参数值。
但是,如果您使用参数并指定其数据类型(NVarChar2),那么数据库引擎就足够了解该值以自行执行正确的引用,因此参数的值不应该包含单引号。
将查询字符串的格式更改为
http:// localhost:80/api/PData?id=JW217T_01
解决了这个问题