[英]Upper Function Input parameter in Oracle
I try to prevent SQL injection in SQL query. 我试图防止SQL查询中的SQL注入。 I used following code to do it but unfortunately I faced some problem.
我使用下面的代码来执行此操作,但不幸的是我遇到了一些问题。 The query is not running in oracle DB:
该查询未在oracle DB中运行:
strQuery = @"SELECT PASSWORD FROM IBK_USERS where upper(user_id) =upper(:UserPrefix) AND user_suffix=:UserSufix AND STATUS_CODE='1'";
//strQuery = @"SELECT PASSWORD FROM IBK_CO_USERS where user_id = '" + UserPrefix + "' AND user_suffix='" + UserSufix + "' AND STATUS_CODE='1'";
try
{
ocommand = new OracleCommand();
if (db.GetConnection().State == ConnectionState.Open)
{
ocommand.CommandText = strQuery;
ocommand.Connection = db.GetConnection();
ocommand.Parameters.Add(":UserSufix", OracleDbType.Varchar2,ParameterDirection.Input);
ocommand.Parameters[":UserSufix"].Value = UserSufix;
ocommand.Parameters.Add(":UserPrefix", OracleDbType.Varchar2,ParameterDirection.Input);
ocommand.Parameters[":UserPrefix"].Value = UserPrefix.ToUpper();
odatareader = ocommand.ExecuteReader();
odatareader.Read();
if (odatareader.HasRows)
{
Your parameters shouldn't contain the semicolon :
. 您的参数不应包含分号
:
。 This is just an indicator in your query that the variable that follows is a parameter, but you don't have to supply that on the .NET side: 这只是查询中的一个指示符,表明后面的变量是一个参数,但是您不必在.NET端提供它:
ocommand.Parameters["UserSufix"] = ...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.