I am using Enterprise Library to query database and usin GetStoredProcCommand to query database. The problem arises when I want to use output parameter.
DbCommand cmd = db.GetStoredProcCommand("storedProcedureName", param1, param2, param3, ...);
Now, if I want to add output parameter, I can't simply write db.AddOutParameter(cmd, "#TotalNumber", DbType.Int64, sizeof(Int64));
I would have to add all the input parameters using db.AddInParameter(cmd, "param1", DbType.Int32, param1);
If you have 10 input parameters, adding them one by one in your code does not like alright and you just wish you could go back to adding them all in the same function call at once. Is there a way of doing this while also use output parameter?
Basically all you need to do is pass a null (or anything really) for the output parameter and you don't have to bother with db.AddOutParameter
From the comments on DbCommand GetStoredProcCommand(string storedProcedureName,
params object[] parameterValues)
The parameters for the stored procedure will be discovered and the values are assigned in positional order.
What they don't tell you is that count of the Db Parameters isn't the same as the params you'll get a Resources.ExceptionMessageParameterMatchFailure So for every output DB Parameter you still need to pass somthing.
What they also don't tell you is that when its assigning the value it checks the direction of the database parameter. If its output it just skips over your value.
Related
One of my clients using Dynamic SQL as part of the stored procedures. they don't want to change this. I am building MVC Website that should use that risky stored procedures. therefore, using parameters with Entity Framework will not solve the problem.
When i used the old and good SQL helper, i checked all the parameters inside the ExecuteQuery function and tried to find risky keywords. but now, when i'm using the native .NET Entity Framework 5 i have no shared function i can check there for that.
Using validators for every specific field is not good for me. is there an option to make overadding function for the Entity Framework part which execute the SP or Any other ideas how to solve that problem?
You do not say whether the dynamic SQL within the stored procedures uses parameters or not. Assuming not, the best solution would be to encode strings for single quotes at the point of query execution
e.g. create a methodstring EncodeSqlString(string s) { return s.replace("'", "''"); }
Then call this method
cmd.CommandText = "SP_FOO";
cmd.CommandType = CommandType.StoredProcedure;
EntityParameter param = new EntityParameter();
param.Value = EncodeSqlString(myString);
param.ParameterName = "MyParam";
cmd.Parameters.Add(param);
This would be the safest way as you are only encoding the string values as passed to the stored procedure, you are not using the values elsewhere and in contexts where the quote encoding isn't appropriate, and you will be mitigating the risk of truncation (as long as there is no truncation happening within the SPs). This will also only work correctly if the SPs only use the values for constructing SQL queries - if they do anything else with them then this probably isn't the way to go.
Only pass string values into this method. For other, non-quoted types you should ensure that they are the correct type before passing them into the parameter. e.g. for an int
string number = Request.QueryString["Number"];
if (int.TryParse(number, out myInt))
{
cmd.CommandText = "SP_BAR";
cmd.CommandType = CommandType.StoredProcedure;
EntityParameter param = new EntityParameter();
param.Value = myInt;
param.ParameterName = "MyParam";
cmd.Parameters.Add(param);
}
else
{
// handle appropriately but do not use value
}
i have a populated list:
def someList=... (string values)
and I want to pass this into a SQL statement to restrict which columns the query selects.
db.rows("select ${someList} from arch_application")
However, I get this error when I try to do so:
There is a ? parameter in the select list. This is not allowed.
Anyone have an ideas? Thanks!
When you pass a GString to Sql.rows, it gets parsed differently than normal in groovy. In particular, it creates a PreparedStatement with replaceable parameters for ${} substitutions. In your case this is probably not what you want. Try forcing the GString to a Java string:
db.rows("select ${someList.join(',')} from arch_application" as String)
Can some one suggest me how to call a stored function in oracle through vb.net.
From vb.net should i able to pass the values to arguments of that function without knowing the parameter names?
Example: I have a function,
Create or Repalce Function Func_Name(param1 Varchar2,param2 varchar2)
Inorder to call this function through vb.net, we need to give
parameterargs.paramtername="param1"
Is there anyway so that i cannot use the parameter name and call the function
Thanks in advance
Rupesh
The way that we handled it was to open the Oracle DB up through an OleDbConnection, then call GetOleDbSchemaTable asking for the Procedure_Columns.
For example:
DataTable dtTable;
dtData = this.Connection.GetOleDbSchemaTable(OleDbSchemaGuid.Procedure_Columns, new object[] {null, null, sName, null});
foreach (DataRow theRow in dtData.Rows)
{
// Columns available in the row include:
// column_name, data_type, type_name, precision, and scale
}
Then, if you need to execute it without valid parameters (for example, to get the columns it exposes) you could execute it using DbNull.Value for each parameter.
Also, I can't remember exactly how Oracle operates, but in SQL Server you need to include the namespace when executing the function (i.e. select * from dbo.fn_my_test()). Also, depending on how the function is structured, you may have to select from it instead of executing it.
I'm not sure if you can use named parameters with Oracle.
When you create the parameterized query, try using question marks as a place holder:
Select col1, col2 From tablename Where col1 = ? and col2 = ?
Then, be sure to add the parameters to the command object in the correct order.
You don't need to know the parameter names to call it.
You need to know the number and type of them
Adding parameter names to the call means you don't have to pass all of them and / or you can pass them in a different order to the signature of the SP.
Call it like a parameterised query.
PSEUDOCODE
int customer_ID = 786;
Command.CommandText = 'Exec SP_MYProc #MyVar';
Command.Parameters.Add(new Parameter('MyVar',DbType.Int,customer_ID));
Command.Exec
Is there anyway to specify more than one MergeSection value for the MSBuild LINK task? (The MergeSection param is the same as the /merge param for link.exe)
http://msdn.microsoft.com/en-us/library/ee862471.aspx
When calling link.exe you can specify more than one /merge value, but that doesn't seem possible with the MergeSection parameter.
So far the only way I can see to make this work is by using the AddtionalOptions param, but I'm hoping there's a better way to implement this parameter.
Thanks
I think you may have to use AdditionalOptions.
In the Link task the MergeSections property is a string value, not an array, so you can only set one string. Link.exe does not seem to allow you to pass multiple pairs in one command line parameter, you must specify a separate MERGE command line parameter for each pair. The Visual Studio property page only allows a single string for the MergeSections property.
I have a whole slew of database access functions which assume a particular connection string. Within my application I call
myList = DB_MyTable.GetTableItems()
and within GetTableItems() I have something like
Dim connection As SqlConnection = MyDB.GetConnection
So the connection string is in one place in the code, and I call a method to get it.
What I'm running into now is I want to reuse the same database functions, but with a different connection string. I can rewrite all of the functions like DB_MyTable.GetTableItems() easily because they're generated from a script, but within the main application code I'll need to take care of every function call that now needs to know what connection string I want to use.
I tried changing the arguments to GetTableItems() like this:
Public Shared Function GetTableItems(Optional ByVal useThisString as String = MyDB.GetConnection) As List(Of MyItems)
in hopes of being able to pass in, by default, the string I'm already using in most of the code, but I got an error saying that the default value had to be a constant expression. This would mean peppering a specific connection string everywhere, which I don't want to do.
Is there a way to accomplish what I'm after, or do I need to make the connection string a required argument and change all of the calls in my application to match the new signature?
Thanks as always!
Can you make your default value an empty string? Then, in your functions, if the useThisString variable is blank, then use default, else use the one you passed in? A littler dirtier, but just barely.