locked
Connecting to Oracle Database RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    User-1689867599 posted

    Background:

    We have an Oracle 12c database used to support 3rd party vendor products. We are planning to develop a web application in .NET to connect to the Oracle database.

    I have reviewed the Quickstart video on the Oracle website. It looks like they suggests installing Oracle client, use ODP.NET to connect via EZConnect. This looks like the DB server information will be on the web.config file. Does this present any security risks? Also, does that mean installing Oracle client on the web server?

    Questions:

    Since I'm an Oracle DBA and not a .NET Developer at all, I thought I'll post here to pick the gurus' minds.

    1. What are the alternatives (if any) to the method mentioned above?
    2. Is there a better alternatives? What is common within the .NET community?

    Appreciates any information.

    Thank you.

    Thursday, May 31, 2018 1:48 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    User269602965 posted

    Encrypt the web config database credentials.

    https://msdn.microsoft.com/en-us/library/bb986855.aspx

    On Oracle side, control access with connection user and roles, ie. no direct access to data schema.

    The ODP.NET client will need installation on web server.  However since you are using Oracle 12c database, then look into the ODAC MANAGED DRIVER, which you can drop the driver AND client DLL combined in one DLL into your application /BIN folder along with TNSNAMES.ORA connection.  The older unmanaged driver is less portable, more prone to bit-ness and version issues.

    Prevent SQL Injection attack, use Oracle parameters and bind variables in SQL statements on both .NET side and PL/SQL package side.

    Friday, June 1, 2018 12:54 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User36583972 posted


    Hi newbie2018,

    Since I'm an Oracle DBA and not a .NET Developer at all, I thought I'll post here to pick the gurus' minds.

    1. What are the alternatives (if any) to the method mentioned above?
    2. Is there a better alternatives? What is common within the .NET community?

    Appreciates any information.

    You can Building an ASP.NET Application with Oracle Developer Tools. You can refer the following ways.

    Oracle Developer Tools for Visual Studio provides an easy way to design data-driven web sites.

    ODP.NET enables ASP.NET data access.

    Oracle Providers for ASP.NET integrate directly with Microsoft ASP.NET controls and services to provide state management capabilities for web sites.

    The following tutorial demonstrates these features, including how to build a data-driven web application using Oracle Developer Tools and how to add security to that application in a simple manner using Oracle Providers for ASP.NET.

    Using ASP.NET with Oracle Database:

    Best Regards,

    Yong Lu

    Friday, June 1, 2018 5:40 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User269602965 posted

    Examples:  Calling PL/SQL to get REFCURSOR back into a .NET data structure

    /* VB.NET code in ASP.NET application */

' Get data from stored procedure '
Try
	Dim connstr As String = ConfigurationManager.ConnectionStrings("{OracleConnectionStringNameFromWebConfig}").ConnectionString
	Using conn As New OracleConnection(connstr)
		Using cmd As New OracleCommand("{SCHEMANAME}.{PACKAGENAME}.rcGET_BIRD_DATA", conn)
			cmd.CommandType = CommandType.StoredProcedure
			cmd.Parameters.Clear()
			cmd.Parameters.Add("p_DATE_BAND", OracleDbType.Date, ParameterDirection.Input)
			cmd.Parameters.Add("p_AOU_CODE", OracleDbType.Decimal, ParameterDirection.Input)
			cmd.Parameters.Add("p_BIRD_CLASS", OracleDbType.Varchar2, ParameterDirection.Input)
			cmd.Parameters.Add("ret_REFCUR", OracleDbType.RefCursor, ParameterDirection.Output)
			conn.Open()
			Using oda As New OracleDataAdapter(cmd)
				Dim ds As New DataSet()
				oda.Fill(ds)
				Me.RadGrid1.MasterTableView.DataSource = ds.Tables(0)
			End Using
		End Using
	End Using
Catch ex As Exception
End Try

/* CS.NET code in ASP.NET application */

' Get data from stored procedure '
try 
  {
	string connstr = ConfigurationManager.ConnectionStrings("{OracleConnectionStringNameFromWebConfig}").ConnectionString;
	using (OracleConnection conn = new OracleConnection(connstr)) 
	  {
		using (OracleCommand cmd = new OracleCommand("{SCHEMANAME}.{PACKAGENAME}.rcGET_BIRD_DATA", conn)) 
		  {
			cmd.CommandType = CommandType.StoredProcedure;
			cmd.Parameters.Clear();
			cmd.Parameters.Add("p_DATE_BAND", OracleDbType.Date, ParameterDirection.Input);
			cmd.Parameters.Add("p_AOU_CODE", OracleDbType.Decimal, ParameterDirection.Input);
			cmd.Parameters.Add("p_BIRD_CLASS", OracleDbType.Varchar2, ParameterDirection.Input);
			cmd.Parameters.Add("ret_REFCUR", OracleDbType.RefCursor, ParameterDirection.Output);
			conn.Open();
			using (OracleDataAdapter oda = new OracleDataAdapter(cmd)) 
			  {
				DataSet ds = new DataSet();
				oda.Fill(ds);
				this.RadGrid1.MasterTableView.DataSource = ds.Tables[0];
		  	}
		  }
	  }
  } 
catch (Exception ex) 
{}


/* Oracle PL/SQL code */

CREATE OR REPLACE PACKAGE {SCHEMANAME}.{PACKAGENAME}
AS
PROCEDURE rcGET_BIRD_DATA(p_DATE_BAND   IN  DATE
                         ,p_AOU_CODE    IN  NUMBER
                         ,p_BIRD_CLASS  IN  VARCHAR2
                         ,ret_REFCUR    OUT SYS_REFCURSOR);
END PKG_BIRDS;
/

CREATE OR REPLACE PACKAGE BODY {SCHEMANAME}.{PACKAGENAME}
AS
PROCEDURE rcGET_BIRD_DATA(p_DATE_BAND   IN  DATE
                         ,p_AOU_CODE    IN  NUMBER
                         ,p_BIRD_CLASS  IN  VARCHAR2
                         ,ret_REFCUR    OUT SYS_REFCURSOR)
BEGIN
	OPEN ret_REFCUR FOR
		SELECT
			AOU_CODE,
			BIRD_CLASS,
			BIRD_NAME,
			DATE_BAND,
			WING_LENGTH,
			TAIL_LENGTH,
			EYE_COLOR,
			PLUMAGE_CODE
		FROM
			{SCHEMANAME}BANDED_BIRDS
		WHERE
			DATE_BAND  > p_DATE_BAND
			AND
			AOU_CODE   = p_AOU_CODE
			AND
			BIRD_CLASS = p_BIRD_CLASS
END;

END {SCHEMANAME}.{PACKAGENAME};
/

    Example 2: call the database with .NET side SQL

    Imports System.Xml.Linq.XElement

  Public Shared Sub updateUnitsActiveFlag(ByVal decQuantity As Decimal, ByVal strDescription As String, ByVal dateDateClosed As DateTime)
    ' Insert Quantity into new row Units table'
    Dim OraConnStr As String = ConfigurationManager.ConnectionStrings("OraConnStr").ConnectionString
    Try
      Dim SQL =
      <SQL>
      INSERT INTO {YOURSCHEMANAME}.UNITS
        (UNITS_SEQ, QUANTITY, DESCRIPTION, DATE_CLOSED, DATE_TODAY) 
      VALUES 
        (UNIT_SEQ.NextVal, :BindVarQuantity, :BindVarDescription, :BindVarDateClosed, SYSDATE)
      </SQL>
      Using conn As New OracleConnection(OraConnStr)
        Using cmd As New OracleCommand(SQL.Value, conn)
          cmd.Parameters.Clear()
          cmd.Parameters.Add("BindVarQuantity", OracleDbType.Decimal, decQuantity, ParameterDirection.Input)
          cmd.Parameters.Add("BindVarDescription", OracleDbType.CLOB, strDescription, ParameterDirection.Input)
          cmd.Parameters.Add("BindVarDateClosed", OracleDbType.Date, dateDateClosed, ParameterDirection.Input)
          conn.Open()
          cmd.ExecuteNonQuery()
        End Using
      End Using
    Catch ex As Exception
      AppCalls.WriteToEventLog(ex, "Inserting UNITS.QUANTITY failed", "AppCalls.updateUnitsActiveFlag.vb")
    End Try
End Sub
  
Imports System.Xml.Linq.XElement

Public Shared Sub InsertIntoTest(ByVal strID As String, ByVal strPerson As String, ByVal strLocation As String)
  Dim OraConnStr As String = ConfigurationManager.ConnectionStrings("{YourOraConnStrName}").ConnectionString
  Try
    Dim SQL =
    <SQL>
      INSERT INTO {YourSchemaName}.TEST
       (ID, Person, Location)
      VALUES
       (:BindVarstrID, :BindVarstrPerson, :BindVarstrLocation)
    </SQL>
    Using conn As New OracleConnection(OraConnStr)
      Using cmd As New OracleCommand(SQL.Value, conn)
        cmd.Parameters.Clear()
        cmd.Parameters.Add("BindVarstrID", OracleDbType.Varchar2, strID, ParameterDirection.Input)
        cmd.Parameters.Add("BindVarstrPerson", OracleDbType.Varchar2, strPerson, ParameterDirection.Input)
        cmd.Parameters.Add("BindVarstrLocation", OracleDbType.Varchar2, strLocation, ParameterDirection.Input)
        conn.Open()
        cmd.ExecuteNonQuery()
      End Using
    End Using
  Catch ex As Exception
  End Try
End Sub

    Friday, June 1, 2018 12:41 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User-1689867599 posted

    Thank you all so much for viewing and all the suggestions.

    I will review all of them.

    Friday, June 1, 2018 9:10 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User1120430333 posted

    The Oracle client must be installed on the Web server, since the Web application is a client.

    You should encrypt the user-id and password in the connectionstring.

    You make no mention of the Oracle TNS that must be dealt with in order to make the connection to the database.

    Thursday, June 14, 2018 5:46 PM