Amit Toren
Reputation: 351
Can't run oracle command with a specific where c#
I needed to run this query:
"Select column_name from all_tab_columns
where table_name=''" + tableName + " owner='" + ownerName + "'";
This is running it as an OracleCommand in C#. It didn't work. I tried many variations including different variables but it never works when I put table_name in the where clause. It's not because I'm not using LIKE either.
Upvotes: 0
Views: 107
Answers (1)
Cee McSharpface
Reputation: 8726
A properly formatted command text would have to look something like this:
var query = String.Format(@"
SELECT
column_name
FROM all_tab_columns
WHERE table_name='{0}'
AND owner='{1}'", tableName, ownerName);
This is vulnerable to injection attacks if tableName and ownerName were user input. In this case, use a parametrized command instead:
var query = @"
SELECT
column_name
FROM all_tab_columns
WHERE table_name=:tablename'
AND owner=:ownername";
The values are then assigned using OracleParameter instances.
Upvotes: 1
Related Questions
- Changing the where clause to use Oracle Command Parameter
- Simple Oracle query returns OracleCommand.CommandText is invalid
- Converting oracle query to ado.net query not working
- Execute query with parameter work incorrect
- OracleCommand SQL Parameter not working
- error: sql command not properly ended
- SQL command not properly ended with WHERE statement
- SQL command not working through C#
- SQL command from C# through OracleCommand giving invalid character error
- Oracle query is not working in C#