Devart Forums

Discussion forums for open issues and questions concerning database tools, data access components and developer tools from Devart
https://forums.devart.com/

Bind variables, parameters and ExecuteQuery

https://forums.devart.com/viewtopic.php?f=1&t=32813

Page 1 of 1

Bind variables, parameters and ExecuteQuery

Posted: Mon 23 Nov 2015 13:34
by Mac
Currently using dotConnect for Oracle 8.5.521.0

I cannot find any documentation or examples of the method signature that actually uses parameters.

Code: Select all

IEnumerable<TResult> ExecuteQuery<TResult>(string query, params object[] parameters);
In particular I am interested in using bind variables if possible. Something like

Code: Select all

context.ExecuteQuery("select colA from tableA where colA = :paramA", "paramAValue");
or do I have to use argument placeholders like:

Code: Select all

context.ExecuteQuery("select colA from tableA where colA = '{0}'", "paramAValue");
If its arg placeholder style, what protection does this offer for sql injection attacks?
none, or is the param value internally formatted to avoid malicious values?

...or do I pass OracleParameter objects

Code: Select all

context.ExecuteQuery("select colA from tableA where colA = :paramA", new OracleParameter("paramA",  OracleDbType.NVarChar, 10){ Value = "paramAValue" });
Documentation and examples around this seem spectacularly poor and none of the above examples seem to work. Please advise or update documentation for ExecuteQuery and Parameters.

Re: Bind variables, parameters and ExecuteQuery

Posted: Tue 24 Nov 2015 11:14
by MariiaI
Please use the following code:

Code: Select all

context.ExecuteQuery<tableA>("select * from tableA where colA = {0}", "paramAValue"); // like in your example, but without quotes
In this case, the following SQL query will be sent to the database:

Code: Select all

select * from tableA where colA = :p0
p0: Input VarChar (Size = 5; DbType = String) [paramAValue]
If its arg placeholder style, what protection does this offer for sql injection attacks?
Due to the fact the SQL query, that is sent to the database, is constructed with parametres, the SQL injection is avoided.

You can check the generated SQL queries via LinqMonitor or Log property of your DataContext object. For more information please refer to:
http://www.devart.com/linqconnect/docs/?Monitoring.html

If you have any further questions, feel free to contact us.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/