3

My question is how can I pass multiple parameter to DELETE request.

My controller class as follow,

namespace MYAPI1.Controllers
{
    public class TaskController : ApiController
    {
        // DELETE: api/Task/5
        [Route("api/Task/id1/id2/{id3}")]
        public void Delete(int id,int id2, string id3)
        {
            TaskPersistent tp = new TaskPersistent();
            tp.deleteTask(id,id2,id3);
        }
    }
}

TaskPersistent.class as follow,

public class TaskPersistent
{
    public void deleteTask(int id, int id2, string id3)
    {

        try
        {
            string sqlString = "DELETE from devproj WHERE (DeveloperID, ProjectID, WorkDate) =  VALUES ('" + id + "', '" + id2 + "', '" + id3 + "');";
            MySql.Data.MySqlClient.MySqlCommand cmd = new MySql.Data.MySqlClient.MySqlCommand(sqlString, conn);
            cmd.ExecuteNonQuery();
            long x = cmd.LastInsertedId;

        }
        catch (Exception x)
        {
            Console.WriteLine(x);
        }

    }

}

I try to consume this using postman like this,http://localhost:10927/api/Task?id1=1&id2=5&id3="2018-03-14" but which not working, please help me to solve this.

Gamma
  • 317
  • 1
  • 6
  • 22
  • Possible duplicate of [What are good ways to prevent SQL injection?](https://stackoverflow.com/questions/14376473/what-are-good-ways-to-prevent-sql-injection) – mjwills Mar 13 '18 at 20:44
  • @mjwills Is this same as that question? lol – Gamma Mar 13 '18 at 20:45
  • `VALUES ('" + id + "', '" + id2 + "', '" + id3 + "');"` You have your current bug. And it is bad. But it is **nothing** compared to the security hole that code is introducing. Hence the link I suggested. – mjwills Mar 13 '18 at 20:47
  • @mjwills Ok thanks anyway :) – Gamma Mar 13 '18 at 20:48

3 Answers3

7

Try the following 

    [Route("api/Task/{id:int}/{id2:int}/{id3}")]
    public void Delete(int id,int id2, string id3)
    {
        TaskPersistent tp = new TaskPersistent();
        tp.deleteTask(id,id2,id3);
    }

Call it via: http://localhost:10927/api/Task/1/2/"2018-03-14"

--- OR --- 

    [Route("api/Task")]
    public void Delete(int id,int id2, string id3)
    {
        TaskPersistent tp = new TaskPersistent();
        tp.deleteTask(id,id2,id3);
    }

Call it via: http://localhost:10927/api/Task?id=1&id2=2&id3="2018-03-14"

Lucas
  • 431
  • 2
  • 10
  • when is use routing as `[Route("api/Task/{id1:int}/{id2:int}/{id3:string}")]` this following Exception thrown: `System.InvalidOperationException' in System.Web.Http.dll` in **Global.asax.cs** could you explain why – Gamma Mar 13 '18 at 20:27
  • The inline constraint resolver of type 'DefaultInlineConstraintResolver' was unable to resolve the following inline constraint: 'string'. – Gamma Mar 13 '18 at 20:31
  • My bad, you need to take ":string" off of id3. string is the default type and it dosn't like being told what it already is – Lucas Mar 13 '18 at 20:38
  • how is the behaviour when passing a guid? do I just mark the parameter in the route as {paramName:guid}? – Jif Jul 23 '18 at 14:10
3

Try passing a view model:

public class YourViewModel {
     public int Id1 { get; set;} 
     public int Id2 { get; set;} 
     public string Id3 { get; set;} 

   }

Then 

[HttpPost]
[Route("api/Task")]
 public void Delete([FromBody] YourViewModel model)
 {
     TaskPersistent tp = new TaskPersistent();
     tp.deleteTask(model.Id1, model.Id2, model.Id3);
 }

In this way you don't have to specify the parameters in the query string. But you have to ensure that the request header has:

'Content-Type: application/json'

Update: In case you need to give it a try, this is how you need to call it from the client side in case you are using JQuery:

var myModel= { Id1:1, Id2:11 Id3:"test" }
$.ajax({
    type: 'POST',
    url: 'http://localhost:10927/api/Task',
    data: JSON.stringify(myModel),
    contentType: 'application/json;',
    dataType: 'json',
    success: function(data){  }
});
Hussein Salman
  • 7,806
  • 15
  • 60
  • 98
-1
[HttpDelete]
public async Task<IActionResult> Delete(List<string> ids)
{
  await _mapService.RemoveAsync(ids);
  var ret = CreatedAtAction(nameof(Delete), new { ids = ids }, ids);

  return ret;
}

Curl

curl -X 'DELETE' \
  'https://localhost:44307/api/Map' \
  -H 'accept: */*' \
  -H 'Content-Type: application/json' \
  -d '[
  "623b35de9f6cedc3a22f7b37",
"623b35de9f6cedc3a22f7b38"
]'

Response body
Download
[
  "623b35de9f6cedc3a22f7b37",
  "623b35de9f6cedc3a22f7b38"
]
Response headers
 content-type: application/json; charset=utf-8 
 date: Wed,23 Mar 2022 15:00:39 GMT 
 location: https://localhost:44307/api/Map?ids=623b35de9f6cedc3a22f7b37&ids=623b35de9f6cedc3a22f7b38 
 server: Microsoft-IIS/10.0 
 x-powered-by: ASP.NET
Danil
  • 701
  • 8
  • 7