Click here to Skip to main content
14,970,229 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
I am getting always different select commands from ui through textbox.
Ex: string queries = "select name from employe; select id from dept";

internal logic
C#
for (int i=0; i < queries.Length; i++)
{
    OracleCommand cmd = new OracleCommand(queries[i].ToString(), con);
    OracleAdapter oda = new OracleDataAdapter(cmd);
    oda.fill(ds,queries[i]);
}

It's working fine but while checking in that checkmark getting sql injection issue.
Could you please assist on this how to fix the type of scenario.

note: is no scope using storeprocedure here.

What I have tried:

C#
for (int i=0; i < queries.Length; i++)
{
    racleCommand cmd=new OracleCommand(queries[i].ToString(), con);
    OracleAdapter oda= new OracleDAtaAdapter(cmd);
    oda.Fill(ds, queries[i]);
}
Posted
Updated 6-Jul-20 2:32am
v2

Have a read of this, there is a section on Bind Variables which should get you started

Retrieving and Updating with Oracle Data Provider for .NET[^]
   
Comments
DGKumar 6-Jul-20 4:04am
   
There are no parameters and where clause in those commands
Simon_Whale 6-Jul-20 4:06am
   
this is in the "To retrieve data using bind variables:" section under point 6

string sql = "select department_name from departments where department_id = " +
":department_id";
OracleCommand cmd = new OracleCommand(sql, conn);
cmd.CommandType = CommandType.Text;
OracleParameter p_department_id = new OracleParameter();
p_department_id.OracleDbType = OracleDbType.Decimal;
p_department_id.Value = departmentID.Text;
cmd.Parameters.Add(p_department_id);

OracleDataReader dr = cmd.ExecuteReader();
dr.Read();

departments.Items.Add(dr.GetString(0));
Quote:
How to prevent SQL inject for direct SQL commands in ASP.NET for oracle database

As I understand your question, user input is directly the SQL command.
So, by your design, there is no injection to prevent since user type directly commands they want.
C#
Ex: string queries = "select name from employe; drop employe";

SQL injection is only when user type parameters, by allowing user to type directly commands, you are far beyond.

SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
How can I explain SQL injection without technical jargon? - Information Security Stack Exchange[^]
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900