How to call a mySQL stored function in C#? - c#

I'd like to call a stored function in C#. I need articles and some examples for this.


It's almost identical to how you would call a SQL Server Stored Procedure:
using(MySqlConnection conn = new MySqlConnection(connString))
{
MySqlCommand command = new MySqlCommand("spSomeProcedure;", conn);
command.CommandType = System.Data.CommandType.StoredProcedure;
// Add your parameters here if you need them
command.Parameters.Add(new MySqlParameter("someParam", someParamValue));
conn.Open();
int result = (int)command.ExecuteScalar();
}


http://forums.asp.net/p/988462/1278686.aspx
MySqlCommand cmd = new MySqlCommand("DeleteMessage", new MySqlConnection(GetConnectionString()));
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add(new MySqlParameter("param1", MessageItem.Entry_ID));
cmd.Connection.Open();
int i = cmd.ExecuteNonQuery();
cmd.Connection.Close();


Stored routines
Stored functions and stored procedures are called in different ways.
Stored function is used as regular function in SQL statement.
For example
SELECT id, title, my_function(price) FROM table
Stored procedures are called using CALL statement.
CALL my_procedure(1,2,'title');
I don't know C#, so probably you can use MySqlCommand class to call stored procedures, but you can't use it to call stored functions.


I actually couldn't get the other methods suggested to return a value. I ended up creating a string to call the function and then executed that string with .ExecuteScalar:
MySqlTransaction mySqlTransaction = testDataMySqlConnection.BeginTransaction();
mySqlCommand = new MySqlCommand
{
Connection = testDataMySqlConnection,
CommandText = "SELECT sf_UnitsAttempted('" + ... + ");",
CommandType = CommandType.Text
};
var f = (float)mySqlCommand.ExecuteScalar();
mySqlCommand.Dispose();
return f;


I know the question is about returning from a stored function, and Justin's answer here covers that. I wanted to add that if you wanted to return a DataTable from a stored procedure instead, you can do it using a DataAdapter:
// using MySql.Data.MySqlClient; // remember to include this
/* Helper method that takes in a Dictionary list of parameters,
and returns a DataTable.
The connection string is fetched from a resources file. */
public static DataTable ExecuteProc(string procedureName, Dictionary<string,object> parameterList)
{
DataTable outputDataTable;
using (MySqlConnection MySqlConnection = new MySqlConnection(Resources.SQL_CONNECTION_STRING))
{
using (MySqlCommand sqlCommand = new MySqlCommand(procedureName, MySqlConnection))
{
sqlCommand.CommandType = CommandType.StoredProcedure;
if (parameterList != null)
{
foreach(string key in parameterList.Keys)
{
string parameterName = key;
object parameterValue = parameterList[key];
sqlCommand.Parameters.Add(new MySqlParameter(parameterName, parameterValue));
}
}
MySqlDataAdapter sqlDataAdapter = new MySqlDataAdapter(sqlCommand);
DataSet outputDataSet = new DataSet();
sqlDataAdapter.Fill(outputDataSet, "resultset");
outputDataTable = outputDataSet.Tables["resultset"];
}
}
return outputDataTable;
}

Related

SQL Queries from WCF service avoiding SQL Injection in querying a view

I have my classes from other projects which have strings for SQL queries.
See my example
public class OtherClass
{
myQuery = "SELECT * FROM v_My_View WHERE code = '#code'";
// I am targeting a view, not a stored procedure
}
My question is, if I use this in my commandText and just replace the #code with a value, is this valid argument against SQL injection?
If it is vulnerable with SQL injection - what are the other options for it?
I tried to use the
CMD.Parameters.AddWithValue("#code", _obj.code)
but it ruined my query.
I am using parameters when accessing my stored procedure, but not when accessing my views.
This is my main:
public class Main
{
public DataTable myMethod()
{
try
{
DataTable myTable = new DataTable("MyDataTable");
using (SqlCommand CMD = new SqlCommand())
{
CMD.Connection = RBOSUtil.DBConnection();
CMD.CommandType = CommandType.Text;
// this is the part I used the string from other class
CMD.CommandText = OtherClas.myQuery.Replace("#code", _obj.code);
using (SqlDataAdapter DA = new SqlDataAdapter(CMD))
{
DA.Fill(myTable);
}
}
}
catch
{
throw;
}
finally
{
//close connection
}
return myTable;
}
}

use this
public class Main
{
public DataTable myMethod()
{
DataTable myTable = new DataTable("MyDataTable");
try
{
using (SqlCommand CMD = new SqlCommand())
{
CMD.Connection = RBOSUtil.DBConnection();
CMD.CommandType = CommandType.Text;
//this is the part I used the string from other class
CMD.CommandText = OtherClas.myQuery;
CMD.Parameters.Add("#code", SqlDbType.NVarChar).value = _obj.code;
using (SqlDataAdapter DA = new SqlDataAdapter(CMD))
{
DA.Fill(myTable);
}
}
}
catch
{
throw;
}
finally
{
//close connection
}
return myTable;
}
}
declare datatable before try

You don't need quotes around the parameter name in the SQL statement:
myQuery = "SELECT * FROM v_My_View WHERE code = #code";. Otherwise what you're doing looks fine to me. It should work.
EDIT: I got confused between the original question and Ravi's answer. Somehow I missed the separator between the question and the first answer. Anyway, to answer the original question, yes, using String.Replace to replace #code with a value is subject to SQL injection vulnerabilities.
You should use SQL parameters, like the code in Ravi's answer, but you'll also need to modify the query to remove the quotes around the parameter name.

How to Handle SQL Exception Must Pass Parameter number 'x'?

I am trying to store Binary Data by using store procedure. Store procedure has three parameters. Last parameter will be containing Binary Data. But when I run a code it gives SQL Exception
Must pass parameter number 3 and subsequent parameters as '#name =
value'. After the form '#name = value' has been used, all subsequent
parameters must be passed in the form '#name = value'.
SqlCommand cmd = new SqlCommand("EXEC myProc #param1 = 8, #param2= '5.png', #FileSignature");
using (SqlConnection conn = new SqlConnection(myConnString))
{
cmd.Connection = conn;
if (FileSignature == null) //FileSignature is byte[]
{
cmd.Parameters.Add("#FileSignature", SqlDbType.VarBinary, -1);
cmd.Parameters["#FileSignature"].Value = System.DBNull.Value;
}
else
cmd.Parameters.AddWithValue("#FileSignature", FileSignature); //FileSignature is byte[]
int iReturn = cmd.ExecuteNonQuery();
}

You can't use #param=val for some parameters and #param for others.
Also, this is not the proper way to execute a stored procedure using sqlCommand.
Please try reading the exception message. It's plain english and is there to help.
Try this:
using(SqlConnection conn = new SqlConnection(myConnString),
SqlCommand cmd = new SqlCommand("myProc", conn)
{
cmd.CommandType = SqlCommandType.StoredProcedure;
cmd.Parameters.AddWithValue("#param1", 8);
cmd.Parameters.AddWithValue("#param2", '5.png');
if (FileSignature == null) //FileSignature is byte[]
{
cmd.Parameters.Add("#FileSignature", SqlDbType.VarBinary, -1);
cmd.Parameters["#FileSignature"].Value = System.DBNull.Value;
}
else
{
cmd.Parameters.AddWithValue("#FileSignature", FileSignature); //FileSignature is byte[]
}
conn.Open();
int iReturn = cmd.ExecuteNonQuery();
conn.Close();
}

Because you supplied the first two parameters by name you must do so for all three. So you need to update you SqlCommand text to include it SqlCommand cmd = new SqlCommand("EXEC myProc #param1 = 8, #param2= '5.png', **#Parameter3** = #FileSignature");
Replace #Parameter3 with the name from your Stored Proc or optional you could just not pass any names (as long as the parameters are in the same order in your procedure.
SqlCommand cmd = new SqlCommand("EXEC myProc 8, '5.png', #FileSignature");

ASP.Net C# - Passing a variable into MySQL query

So I want to create a line graph with data from a MySQL table and I've managed to draw one using the code below.
However, I want to pass a variable 'moduleID' to the MySQL query and I have done so, however, I'm not sure if this is the most appropriate way to do so. Should I pass a parameter instead and if so, how do I do that?
protected void chart(int moduleID)
{
string connStr = ConfigurationManager.ConnectionStrings["myConnectionString"].ConnectionString;
MySqlConnection conn = new MySqlConnection(connStr);
string comm = "SELECT * FROM scores WHERE module_id=" + moduleID.ToString();
MySqlDataAdapter dataAdapter = new MySqlDataAdapter(comm, conn);
DataSet ds = new DataSet();
Chart1.ChartAreas["ChartArea1"].AxisX.MajorGrid.Enabled = false;
Chart1.ChartAreas["ChartArea1"].AxisY.MajorGrid.Enabled = false;
Chart1.ChartAreas["ChartArea1"].AxisX.Minimum = 1;
Chart1.ChartAreas["ChartArea1"].AxisX.LabelStyle.Enabled = false;
Chart1.ChartAreas["ChartArea1"].AxisX.Title = "time";
Chart1.ChartAreas["ChartArea1"].AxisY.Minimum = 0;
Chart1.ChartAreas["ChartArea1"].AxisY.Maximum = 100;
Chart1.ChartAreas["ChartArea1"].AxisY.Title = "%";
Chart1.ChartAreas["ChartArea1"].AxisY.TextOrientation = TextOrientation.Horizontal;
try
{
conn.Open();
dataAdapter.Fill(ds);
Chart1.DataSource = ds;
Chart1.Series["Series1"].YValueMembers = "score";
Chart1.DataBind();
}
catch
{
lblError.Text = "Database connection error. Unable to obtain data at the moment.";
}
finally
{
conn.Close();
}
}

You are right. Concatenating strings to form a query is prone to SQL injection. Use parameters like:
string comm = "SELECT * FROM scores WHERE module_id=#module_id";
MySqlCommand mySqlCommand = new MySqlCommand(comm,conn);
mySqlCommand.Parameters.Add(new MySqlParameter("#module_id", module_id));
MySqlDataAdapter dataAdapter = new MySqlDataAdapter(mySqlCommand);
You should also enclose your connection and command object with using statement. This will ensure proper disposal of resource.
Also an empty catch is very rarely useful. You should catch specific exception first and then the base exception Exception in an object. Use that object to log the exception information or show in your error message. This will provide you help in debugging your application.

Step1: Create stored Procedure
CREATE PROCEDURE SelectScore
(#moduleID NCHAR(50))AS
SELECT * FROM scores WHERE module_id=#moduleID
Step2: Call the stored Procedure from Code
string connStr = ConfigurationManager.ConnectionStrings["myConnectionString"].ConnectionString;
using (SqlConnection conn = new SqlConnection(connStr )) {
conn.Open();
// 1. create a command object identifying the stored procedure
SqlCommand cmd = new SqlCommand("SelectScore", conn);
// 2. set the command object so it knows to execute a stored procedure
cmd.CommandType = CommandType.StoredProcedure;
// 3. add parameter to command, which will be passed to the stored procedure
cmd.Parameters.Add(new SqlParameter("#moduleID ", moduleID ));
// execute the command
using (SqlDataReader rdr = cmd.ExecuteReader()) {
// iterate through results, printing each to console
while (rdr.Read())
{
..
}
}
}

Calling a SP which has Insert Statement and returns a table

Is it possible to call a stored procedure which will insert the details first and at the end will return a table. At present I have written two stored procedures for it: one for inserting and the other for getting the details. Now I'm trying to do both at the same time.
I'm using ExecuteScalar for inserting and ExecuteDataSet for selecting.

If your stored procedure returns data using a SELECT (of course, I suppose that you need to read that data) then you should use the SqlDataAdapter with its Fill method or an SqlDataReader using the ExecuteReader on the SqlCommand
ExecuteReader:
using(SqlConnection cn = new SqlConnection(...))
using(SqlCommand cmd = new SqlCommand(procName, cn))
{
cmd.CommandType = CommandType.StoredProcedure;
cn.Open()
using(SqlDataReader r = cmd.ExecuteReader())
{
while(r.Read())
{
// read every row and use the field values .....
}
}
}
SqlDataAdapter.Fill:
using(SqlConnection cn = new SqlConnection(...))
using(SqlCommand cmd = new SqlCommand(procName, cn))
{
cmd.CommandType = CommandType.StoredProcedure;
cn.Open()
using(SqlDataAdapter da = new SqlDataAdapter(cmd)
{
DataTable dt = new DataTable();
da.Fill(dt);
// DataTable filled with the data returned by the last SELECT in your SP
......
}
}
The SqlCommand.ExecuteReader or SqlDataAdapter.Fill will execute the stored procedure without looking at what the stored procedure does, but they expect that some kind of tabular data will be returned to loop over it

You write a procedure like this
CREATE PROCEDURE SP_Name
(
//PARAMETES
)
AS
BEGIN
//INSERT STATEMENT
//SELECT STATEMENT
END
and call ExecuteDataSet()

SqlConnection cn = new SqlConnectio(...)
SqlCommand cmd = new SqlCommand("procName", cn)
{
cmd.CommandType = CommandType.StoredProcedure;
cn.Open();
cmd.ExecuteScalar();
}

SQL SELECT With Stored Procedure and Parameters?

I've been writing a lot of web services with SQL inserts based on a stored procedure, and I haven't really worked with any SELECTS.
The one SELECT I have in mind is very simple.
SELECT COUNT(AD_SID) As ReturnCount FROM AD_Authorization
WHERE AD_SID = #userSID
However, I can't figure out based on my current INSERT code how to make that into a SELECT and return the value of ReturnCount... Can you help? Here is my INSERT code:
string ConnString = "Data Source=Removed";
string SqlString = "spInsertProgress";
using (OleDbConnection conn = new OleDbConnection(ConnString))
{
using (OleDbCommand cmd = new OleDbCommand(SqlString, conn))
{
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.AddWithValue("attachment_guid", smGuid.ToString());
cmd.Parameters.AddWithValue("attachment_percentcomplete", fileProgress);
conn.Open();
cmd.ExecuteNonQuery();
conn.Close();
}
}

Here is where you are going wrong:
cmd.ExecuteNonQuery();
You are executing a query.
You need to ExecuteReader or ExecuteScalar instead. ExecuteReader is used for a result set (several rows/columns), ExecuteScalar when the query returns a single result (it returns object, so the result needs to be cast to the correct type).
var result = (int)cmd.ExecuteScalar();
The results variable will now hold a OledbDataReader or a value with the results of the SELECT. You can iterate over the results (for a reader), or the scalar value (for a scalar).

Since you are only after a single value, you can use cmd.ExecuteScalar();
A complete example is as follows:
string ConnString = "Data Source=Removed";
string userSid = "SomeSid";
string SqlString = "SELECT COUNT(AD_SID) As ReturnCount FROM AD_Authorization WHERE AD_SID = #userSID;";
int returnCount = 0;
using (OleDbConnection conn = new OleDbConnection(ConnString))
{
using (OleDbCommand cmd = new OleDbCommand(SqlString, conn))
{
cmd.CommandType = CommandType.Text;
cmd.Parameters.AddWithValue("#userSID", userSid);
conn.Open();
returnCount = Convert.ToInt32(cmd.ExecuteScalar());
}
}
If you wanted to return MULTIPLE rows, you can use the ExecuteReader() method. This returns an IDataReader via which you can enumerate the result set row by row.

You need to use ExecuteScalar instead of ExecuteNonQuery:
String query = "SELECT COUNT(AD_SID) As ReturnCount FROM AD_Authorization WHERE AD_SID = #userSID ";
using (OleDbConnection conn = new OleDbConnection(ConnString)) {
using (OleDbCommand cmd = new OleDbCommand(query, conn))
{
cmd.Parameters.AddWithValue("userSID", userSID.ToString());
conn.Open();
int returnCount = (Int32) cmd.ExecuteScalar();
conn.Close();
}
}

cmd.executescalar will return a single value, such as your count.
You would use cmd.executereader when you are returning a list of records

Categories