0

We created the Web API for querying the Oracle DB returning the result in the JSON in the below format.So the API will be getting the array of input parameters

Currently I am using the below URL for querying the DB as

https://bhbl.abc.org/api/Sample?id='BL001'&id='TM002'

So the query internally will be converted like

SELECT * 
FROM STCD_PRIO_CATEGORY 
WHERE STPR_STUDY.STD_REF IN ("BL001,TM002")

Below is the code we are using

public class SampleController : ApiController
{
    public HttpResponseMessage Getdetails([FromUri] string[] id)
    {
        using (OracleConnection dbconn = new OracleConnection("DATA SOURCE=J;PASSWORD=C;PERSIST SECURITY INFO=True;USER ID=T"))
        {
            var inconditions = id.Distinct().ToArray();
            var srtcon = string.Join(",", inconditions);

            DataSet userDataset = new DataSet();
            var strQuery = @"SELECT * from STCD_PRIO_CATEGORY where STPR_STUDY.STD_REF IN(" + srtcon + ")";

            OracleCommand selectCommand = new OracleCommand(strQuery, dbconn);
            OracleDataAdapter adapter = new OracleDataAdapter(selectCommand);

            DataTable selectResults = new DataTable();
            adapter.Fill(selectResults);

            var response = Request.CreateResponse(HttpStatusCode.OK, returnObject, MediaTypeHeaderValue.Parse("application/json"));
           ContentDispositionHeaderValue contentDisposition = null;

           if (ContentDispositionHeaderValue.TryParse("inline;  filename=ProvantisStudyData.json", out contentDisposition))
           {
               response.Content.Headers.ContentDisposition = contentDisposition;
           }

           return response;
       }
   }
}

I am wondering if we can query the entire record using the same API (i.e, without skipping the where STPR_STUDY.STD_REF IN("BL001,TM002")) by without passing anything in the URL like

 https://bhbl.abc.org/api/Sample

I tried this but it keeps loading without showing any error. I am not sure if what I am doing is right.

Improve this question

1 Answer 1

Reset to default
1

First, you could just check the array of ids to see if it is empty. If it is empty then don't append your where clause otherwise do.

More importantly, you shouldn't be using parameters from the url to directly construct your sql statements. You're creating a nice candidate for sql injection attacks. You should be doing something to sanitize your inputs.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

If I give Array of IDs in the URL its being loading forever
Have you successfully executed your db query in Sql Developer or SQL Plus with some sample ids? The query itself looks wrong.
I was able to execute the query in SQL Query but the no.of records returned while executing the above both ids as SELECT * from STCD_PRIO_CATEGORY where STPR_STUDY.STD_REF IN('BL001','TM002') is 313,568
That's why loading takes forever. I'm guessing that isn't what you want. Shouldn't your query be something like SELECT * from STCD_PRIO_CATEGORY where STD_REF IN('BL001','TM002')? Your current where clause doesn't seem to limit the number of rows selected from the STCD_PRIO_CATEGORY. Alternately, you may want to join STCD_PRIO_CATEGORY and STD_REF on some column. I don't know the structure of your tables. You seem to have some query problems to sort out.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.