stackoom
  简体   繁体   中英

Select command has truncated parameter when called from webpage

 原文  2016-05-30 08:24:52       c#/ tsql/ select

Question

SQL Server profiler output when called by the website: 

exec sp_executesql N'SELECT top 1 [id],[salt] FROM dbo.[Users] 
                                                    WHERE recoveryCode = @recoveryCode and DATEDIFF(HOUR, [recoveryDateTime],  GETDATE())  < 25',N'@recoveryCode nvarchar(30)',@recoveryCode=N'�

The parameter at the end of the line is truncated. Why did that happen?

If I execute the command from the dev environment, everything works fine.

SQL Server profiler output for the working code: 

exec sp_executesql N'SELECT top 1 [id],[salt] FROM dbo.[Users] 
                                                    WHERE recoveryCode = @recoveryCode and DATEDIFF(HOUR, [recoveryDateTime],  GETDATE())  < 25',N'@recoveryCode nvarchar(29)',@recoveryCode=N'&c26އ�]LwIǔ�lݓ&^�`;�4���sD�'

Both calls are directed toward the same database. The first one from my local environment, the second one from an azure webpage.

This is the C# code doing the call: 

string HashVarchar = HashSHA256(Request.Params["random"]);

//get the user data.  
try
{
      SqlCommand cmd = new SqlCommand(@"SELECT top 1 [id],[salt] FROM dbo.[Users] 
                                                    WHERE recoveryCode = @recoveryCode and DATEDIFF(HOUR, [recoveryDateTime],  GETDATE())  < 25", conn);
      //recoveryCode = @hash, recoveryDateTime = GETDATE()
      cmd.Parameters.AddWithValue("recoveryCode", HashVarchar);

      try
      {
          conn.Open();
          SqlDataReader reader = cmd.ExecuteReader();

1 answers

solution1
 0  2016-05-30 09:59:44

The following is only a workaround. An explanation for the strange behaviour would be most welcome...

Putting everything in a stored procedure solved the problem: 

CREATE PROCEDURE [dbo].[getUserDataByRecoveryCode]
    @recoveryCode  nvarchar(64) 
AS
BEGIN
    /*
    exec [dbo].[getUserDataByRecoveryCode] @recoveryCode=N'7�,n�4_� Yctg|�� �^*�1����'
    */

    SELECT top 1 
        [id],
        [salt] 
    FROM dbo.[Users] 
    WHERE recoveryCode = @recoveryCode 
        and DATEDIFF(HOUR, [recoveryDateTime],  GETDATE())  < 25    
END

And the Call from C# 

string query = "[dbo].[getUserDataByRecoveryCode]";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.CommandType = CommandType.StoredProcedure;

SqlParameter param1 = new SqlParameter();
param1.DbType = DbType.String;
param1.ParameterName = "@recoveryCode";
param1.Value = HashVarchar;
cmd.Parameters.Add(param1);


try
{
    conn.Open();
    SqlDataReader reader = cmd.ExecuteReader();

Doing this also allows to remove the rights to the sql user used to access the database by select commands: 

DENY SELECT ON dbo.Users TO exampleUser

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question truncated output parameter from executenonquery Select Command parameter issue How to execute Button Command with Parameter without providing the Parameter when called in the ViewModel? MSBuild uses .sln when called from PowerShell script but .csproj when called from command line Data is truncated from memory stream when reading Getting Checked property from CheckBox when Command is called in WPF What is this parameter that has a colon in C# called? Text from resource file has been truncated in a weird way Passing object type of parameter in a function called from Deleagte Command in WPF MVVM What is the parameter type for a generic function parameter when called from a base class with 'this'?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM