0

I've currently got a WHERE clause in a SQL string that looks like this:

CmdTxt = CmdTxt + "Where FA.CSE_LAN = '" + UID + "' ";

It eventually culminates in a call to Oracle:

OracleCommand cmd = new OracleCommand(CmdTxt, connection);
cmd.Connection = connection;

cmd.CommandText = CmdTxt;
cmd.CommandType = CommandType.Text;
OracleDataAdapter da = new OracleDataAdapter(cmd);

da.Fill(dt);

What I now need to do is change that WHERE logic, so that it first looks at a column called FA.BUILD_CSE_LAN. If that has a value, it will use that column in the WHERE clause.

If it doesn't have a value, it will use the column FA.CSE_LAN in the WHERE clause.

How can I do this? I'm using C# code-behind in an ASP.Net environment against an Oracle 12c database, if any of that is important.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Johnny Bones
  • 8,786
  • 7
  • 52
  • 117
  • `UID = "' OR 1 = 1;--";` –  Feb 06 '17 at 21:30
  • 1
    You need to [use parameterized queries](http://stackoverflow.com/q/7505808/557445). Your existing code, as Will pointed out, can leave you vulnerable to SQL Injection attacks. – Rion Williams Feb 06 '17 at 21:32
  • While I agree parameterized queries are important, assuming UID is either a UniqueID or UserID, generally those don't come from string inputs. Potentially userID but then that would actually be a user name. – Andrew Feb 06 '17 at 21:36
  • I agree with parameterized queries, but it's an intranet and this is the way they do things here. I'm more concerned with the syntax than the variables. – Johnny Bones Feb 06 '17 at 21:45
  • It may not be as important due to the trusted nature of the users, and depending on the source of the values, but it is always better practice. Though I admit even in the code we use in my workplace we sometimes just put values right into the string, but those values came from a database already. – Andrew Feb 06 '17 at 21:47
  • BTW, UID is set in code and is read from WindowsIdentity.GetCurrent().Name, so there really is no chance for injection. – Johnny Bones Feb 06 '17 at 21:49

2 Answers2

1

I am no expert on oracle but I would try something like this.

CmdTxt = CmdTxt + "Where FA.BUILD_CSE_LAN = @UID  OR ( FA.BUILD_CSE_LAN IS NULL AND FA.CSE_LAN = @UID)";

That way it if your build field is null, no value, it checks the other one. And declare @UID as a parameter on your command to avoid injection or special character issues.

Andrew
  • 1,544
  • 1
  • 18
  • 36
1

This doc on Oracle might help: NVL or COALESCE could help here.

CmdTxt = CmdTxt + "Where NVL(FA.BUILD_CSE_LAN, FA.CSE_LAN) = '" + UID + "' ";

or

CmdTxt = CmdTxt + "Where COALESCE(FA.BUILD_CSE_LAN, FA.CSE_LAN) = '" + UID + "' ";
MT0
  • 143,790
  • 11
  • 59
  • 117
JeromeFr
  • 1,869
  • 2
  • 17
  • 20