Bind variables, parameters and ExecuteQuery

Bind variables, parameters and ExecuteQuery

Postby Mac » Mon 23 Nov 2015 13:34

Currently using dotConnect for Oracle 8.5.521.0

I cannot find any documentation or examples of the method signature that actually uses parameters.

Code: Select all
IEnumerable<TResult> ExecuteQuery<TResult>(string query, params object[] parameters);


In particular I am interested in using bind variables if possible. Something like

Code: Select all
context.ExecuteQuery("select colA from tableA where colA = :paramA", "paramAValue");


or do I have to use argument placeholders like:

Code: Select all
context.ExecuteQuery("select colA from tableA where colA = '{0}'", "paramAValue");


If its arg placeholder style, what protection does this offer for sql injection attacks?
none, or is the param value internally formatted to avoid malicious values?

...or do I pass OracleParameter objects

Code: Select all
context.ExecuteQuery("select colA from tableA where colA = :paramA", new OracleParameter("paramA",  OracleDbType.NVarChar, 10){ Value = "paramAValue" });


Documentation and examples around this seem spectacularly poor and none of the above examples seem to work. Please advise or update documentation for ExecuteQuery and Parameters.
Mac
 
Posts: 12
Joined: Sun 23 Aug 2009 22:33

Re: Bind variables, parameters and ExecuteQuery

Postby MariiaI » Tue 24 Nov 2015 11:14

Please use the following code:
Code: Select all
context.ExecuteQuery<tableA>("select * from tableA where colA = {0}", "paramAValue"); // like in your example, but without quotes

In this case, the following SQL query will be sent to the database:
Code: Select all
select * from tableA where colA = :p0
p0: Input VarChar (Size = 5; DbType = String) [paramAValue]

If its arg placeholder style, what protection does this offer for sql injection attacks?
Due to the fact the SQL query, that is sent to the database, is constructed with parametres, the SQL injection is avoided.

You can check the generated SQL queries via LinqMonitor or Log property of your DataContext object. For more information please refer to:
http://www.devart.com/linqconnect/docs/?Monitoring.html

If you have any further questions, feel free to contact us.
MariiaI
Devart Team
 
Posts: 1472
Joined: Mon 13 Feb 2012 08:17


Return to dotConnect for Oracle