Click here to Skip to main content
15,034,598 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
I am getting always different select commands from ui through textbox.
Ex: string queries = "select name from employe; select id from dept";

internal logic
for (int i=0; i < queries.Length; i++)
    OracleCommand cmd = new OracleCommand(queries[i].ToString(), con);
    OracleAdapter oda = new OracleDataAdapter(cmd);

It's working fine but while checking in that checkmark getting sql injection issue.
Could you please assist on this how to fix the type of scenario.

note: is no scope using storeprocedure here.

What I have tried:

for (int i=0; i < queries.Length; i++)
    racleCommand cmd=new OracleCommand(queries[i].ToString(), con);
    OracleAdapter oda= new OracleDAtaAdapter(cmd);
    oda.Fill(ds, queries[i]);
Updated 6-Jul-20 2:32am

Have a read of this, there is a section on Bind Variables which should get you started

Retrieving and Updating with Oracle Data Provider for .NET[^]
DGKumar 6-Jul-20 4:04am
There are no parameters and where clause in those commands
Simon_Whale 6-Jul-20 4:06am
this is in the "To retrieve data using bind variables:" section under point 6

string sql = "select department_name from departments where department_id = " +
OracleCommand cmd = new OracleCommand(sql, conn);
cmd.CommandType = CommandType.Text;
OracleParameter p_department_id = new OracleParameter();
p_department_id.OracleDbType = OracleDbType.Decimal;
p_department_id.Value = departmentID.Text;

OracleDataReader dr = cmd.ExecuteReader();

How to prevent SQL inject for direct SQL commands in ASP.NET for oracle database

As I understand your question, user input is directly the SQL command.
So, by your design, there is no injection to prevent since user type directly commands they want.
Ex: string queries = "select name from employe; drop employe";

SQL injection is only when user type parameters, by allowing user to type directly commands, you are far beyond.

SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
How can I explain SQL injection without technical jargon? - Information Security Stack Exchange[^]

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900