Home/ Questions/Q 6768269
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T15:03:19+00:00

I’m calling a system stored procedure for full text search package. It generates terms

  • 0

I’m calling a system stored procedure for full text search package. It generates terms used for full text search based on a sql literal.

ex: exec ctx_query.explain(‘index_name’, ‘full text filter’, ‘explain table’) etc

I’m doing the following in my code:

using(OracleCommand command = new OracleCommand("ctx_query.explain", DataAccess.GetConnString()))
{   
    comm.Parameters.AddWithValue("index_name", "explain1");
    //comm.Parameters.AddWithValue("text_query", "(test) OR (term1 ACCUM term2");
    comm.Parameters.AddWithValue("text_query", txtUserInput.Text);
    comm.Parameters.AddWithValue("explain_table", "explain_results");
    comm.Parameters.AddWithValue("sharelevel", 0);
    comm.Parameters.AddWithValue("explain_id", new Guid().ToString().Substring(0,30));
    comm.ExecuteNonQuery();    
}

The “text_query” parameter will be built from user input. Does the above prevent sql injection because the textUserInput.Text will be passed as a command parameter?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    ctx_query.explain does not execute the query, it only examines it, so there is no SQL injection risk here.

    • 0