Bind variables, parameters and ExecuteQuery

Discussion of open issues, suggestions and bugs regarding ADO.NET provider for Oracle
Post Reply
Mac
Posts: 12
Joined: Sun 23 Aug 2009 22:33

Bind variables, parameters and ExecuteQuery

Post by Mac » Mon 23 Nov 2015 13:34

Currently using dotConnect for Oracle 8.5.521.0

I cannot find any documentation or examples of the method signature that actually uses parameters.

Code: Select all

IEnumerable<TResult> ExecuteQuery<TResult>(string query, params object[] parameters);
In particular I am interested in using bind variables if possible. Something like

Code: Select all

context.ExecuteQuery("select colA from tableA where colA = :paramA", "paramAValue");
or do I have to use argument placeholders like:

Code: Select all

context.ExecuteQuery("select colA from tableA where colA = '{0}'", "paramAValue");
If its arg placeholder style, what protection does this offer for sql injection attacks?
none, or is the param value internally formatted to avoid malicious values?

...or do I pass OracleParameter objects

Code: Select all

context.ExecuteQuery("select colA from tableA where colA = :paramA", new OracleParameter("paramA",  OracleDbType.NVarChar, 10){ Value = "paramAValue" });
Documentation and examples around this seem spectacularly poor and none of the above examples seem to work. Please advise or update documentation for ExecuteQuery and Parameters.

MariiaI
Devart Team
Posts: 1472
Joined: Mon 13 Feb 2012 08:17

Re: Bind variables, parameters and ExecuteQuery

Post by MariiaI » Tue 24 Nov 2015 11:14

Please use the following code:

Code: Select all

context.ExecuteQuery<tableA>("select * from tableA where colA = {0}", "paramAValue"); // like in your example, but without quotes
In this case, the following SQL query will be sent to the database:

Code: Select all

select * from tableA where colA = :p0
p0: Input VarChar (Size = 5; DbType = String) [paramAValue]
If its arg placeholder style, what protection does this offer for sql injection attacks?
Due to the fact the SQL query, that is sent to the database, is constructed with parametres, the SQL injection is avoided.

You can check the generated SQL queries via LinqMonitor or Log property of your DataContext object. For more information please refer to:
http://www.devart.com/linqconnect/docs/?Monitoring.html

If you have any further questions, feel free to contact us.

Post Reply