Remove From My Forums

prevent SQL injection oracle Upper function

Question

User-2012801151 posted

I used follwing Code To prevent SQL Injection but i faced some problem in upper function in oracle DB

 strQuery = @"SELECT FORCE_PASSWORD_CHANGE FROM IBK_USERS where upper(user_id) = upper(:UserPrefix) AND user_suffix= :UserSufix  AND STATUS_CODE='1'";
                
                try
                {

                    ocommand = new OracleCommand();
                    if (db.GetConnection().State == ConnectionState.Open)
                    {
                        ocommand.CommandText = strQuery;
                        ocommand.Connection = db.GetConnection();
                        ocommand.Parameters.Add(":UserSufix", OracleDbType.Varchar2);
                        ocommand.Parameters[":UserSufix"].Value = UserSufix;
                        ocommand.Parameters.Add(":UserPrefix", OracleDbType.Varchar2);
                        ocommand.Parameters[":UserPrefix"].Value = UserPrefix;
                        odatareader = ocommand.ExecuteReader();

please help me

Tuesday, June 3, 2014 3:49 AM

All replies

0

Sign in to vote

User753101303 posted

Hi,

Please always tell exactly what is the problem you have rather than just that you have "some problem"...

You are not using upper for the suffix. Is the problem that no row is returned ? Also you create a connection and then runs something only if it is opened (but it seems to never have been opened ?). Just open the connection and run whatever you want on it...

Tuesday, June 3, 2014 4:21 AM

User-2012801151 posted

this is my prevoius code , userprefix is my input perameter.

 strQuery = @"SELECT PASSWORD FROM IBK_USERS where upper(user_id) =upper('" + UserPrefix + "')

try
                {

                    ocommand = new OracleCommand();
                    if (db.GetConnection().State == ConnectionState.Open)
                    {
                        ocommand.CommandText = strQuery;
                        ocommand.Connection = db.GetConnection();                       
                        odatareader = ocommand.ExecuteReader();
                        odatareader.Read();

now i try to convert above code set parameter like this but this is not working.

strQuery = @"SELECT PASSWORD FROM IBK_USERS where upper(user_id) =upper(:UserPrefix)
  try
                {

                    ocommand = new OracleCommand();
                    if (db.GetConnection().State == ConnectionState.Open)
                    {
                        ocommand.CommandText = strQuery;
                        ocommand.Connection = db.GetConnection();
                       
                        ocommand.Parameters.Add(":UserPrefix", OracleDbType.Varchar2,ParameterDirection.Input);
                        ocommand.Parameters[":UserPrefix"].Value = UserPrefix;
                        odatareader = ocommand.ExecuteReader();

Tuesday, June 3, 2014 4:54 AM

0

Sign in to vote

User724169276 posted

Again same reply .. what is the error that you are getting ? make sure you get proper value in the parameter and the query is correct.

Tuesday, June 3, 2014 5:03 AM
0

Sign in to vote

User-2012801151 posted

first query get value but after edited code no get value... i am using oracle DB

Tuesday, June 3, 2014 5:05 AM
0

Sign in to vote
User724169276 posted

try:

ocommand.Parameters.AddWithValue(":UserPrefix",UserPrefix);

BTW ... are you sure you are getting the proper value in UserPrefix ? Put a breakpoint and let us know.
Tuesday, June 3, 2014 5:09 AM
0

Sign in to vote

User-2012801151 posted

oraclecommand.paramert not addwithvalue method ...

Tuesday, June 3, 2014 5:20 AM
0

Sign in to vote
User724169276 posted

OracleCommand do have AddWithValue :

ocommand.Parameters.AddWithValue("UserPrefix",UserPrefix);
Tuesday, June 3, 2014 5:27 AM
0

Sign in to vote

User-2012801151 posted

which refernce should i add ??

Tuesday, June 3, 2014 5:32 AM
0

Sign in to vote

User724169276 posted

which refernce should i add ??

You should have followed the link i shared in my previous post ...

using System.Data.OracleClient

Tuesday, June 3, 2014 5:36 AM
0

Sign in to vote

User-2012801151 posted

i used Oracle.DataAccess.Client oraclecommand when i add above reference it occure more error

Tuesday, June 3, 2014 5:54 AM
0

Sign in to vote

User724169276 posted

Oracle provides .NET classes for accessing an Oracle database. These are derived from ADO.NET base classes and thus are highly compatible with everything else. This library is sometimes referred to as ODP.NET and is found in the Oracle.DataAccess.Client namespace.

Similarly, Microsoft provides .NET classes for accessing an Oracle database. These are just the default classes provided with the .NET framework and are found in namespace System.Data.OracleClient.

Both of these namespaces go through the Oracle client (OCI interface). For now use Oracle client here.

http://social.msdn.microsoft.com/Forums/en-US/ad29c4dd-24bc-4f04-a5c6-b3481d506a22/systemdataoracleclient-versus-oracledataaccessclient-odpnet?forum=adodotnetdataproviders

Tuesday, June 3, 2014 6:02 AM
0

Sign in to vote

User-2012801151 posted

i think both are same but i used using Oracle.DataAccess.Client because of that i cant use addwithvalue .have any solution to solve this isuue??

Tuesday, June 3, 2014 6:56 AM

Asked by:

prevent SQL injection oracle Upper function

Question

All replies