更改为参数化的Oracle查询

Question

我有以下代码用于连接到Oracle数据库并返回JSON结果。但下面的代码似乎有问题像SQL注入，我怎么能改变他们是当前代码到参数化。难道我只是被的OracleCommand

public class SampleController : ApiController 
    { 
    public string Getdetails(int id) 
    { 
     using (var dbConn = new OracleConnection("DATA SOURCE=h;PASSWORD=C;PERSIST SECURITY INFO=True;USER ID=T")) 
     { 

      var inconditions = id.Distinct().ToArray(); 
      var srtcon = string.Join(",",inconditions); 
      dbConn.Open(); 
      var strQuery = @"SELECT PRIO_CATEGORY_ID AS PRIO, LANG_ID AS LANG, REC_DATE AS REC, REC_USER AS RECUSER, DESCR, COL_DESCR AS COL, ROW_DESCR AS DROW, ABBR FROM STCD_PRIO_CATEGORY_DESCR WHERE REC_USER IN ("+srtcon+")"; 
      var queryResult = dbConn.Query<SamModel>(strQuery); 
      return JsonConvert.SerializeObject(queryResult); 
    } 
} 

Answer 1

你应该试试这个想法，在命令设置参数：使用System.Data

; using System.Data.SqlClient;

using (SqlConnection connection = new SqlConnection(connectionString)) 
{ 
    DataSet userDataset = new DataSet(); 
    SqlDataAdapter myDataAdapter = new SqlDataAdapter(
     "SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id", 
     connection);     
    myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11); 
    myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text; 
    myDataAdapter.Fill(userDataset); 
}