Iam building an webapp. I am attempting to retrieve to pull data from an SSAS cube through MDX query in C#.(from WebAPI).
Can any one please share a sample of code to how to pass a parameter in MDX Query through C#?
This is about the simplest example:
You can wrap a parameter in StrToSet if you need to use a set expression.
var connection = new AdomdConnection(...);
var command = new AdomdCommand(#"
SELECT StrToMember(#Measure) ON 0
FROM [SomeCube]
", connection);
command.Parameters.Add(new AdomdParameter("Measure", "[Measures].[Foo]"));
var cellset = command.ExecuteCellSet();
Related
I can do:
await _sensorContext.Database.ExecuteSqlRawAsync("call testproc()");
And I can do:
System.Data.Common.DbConnection? c = _sensorContext.Database.GetDbConnection();
c.Open();
var cmd = c.CreateCommand();
cmd.CommandText = "call dewpointaverage('{\"70B3D52DD50003AC\",\"70B3D52DD5000452\"}'::varchar[])";
cmd.ExecuteNonQuery();
Which works, but I cannot figure out how to build and pass the parameter array in either (though preferably the first) approach.
There is no returned result set, the proc uses the parameters to calculate values and populate a table.
How can I pass the parameter array into either of these code examples?
await this._sensorContext.Database
.ExecuteSqlRawAsync("EXEC StoredProcedureName #FirstParameter, #SecondParameter",
new SqlParameter("FirstParameter", "ParameterValue"),
new SqlParameter("SecondParameter", "SecondParameterValue"));
To pass an array of elements, you can create an UserDataTable and follow this guide to give a list to your stored procedure.
Table-valued parameters
I have a .NET program with a dataset to an access/a sql DB.
I wrote a query and used 2 parameters, but I got an error:
Error in WHERE clause near '#'.
Unable to parse query text.
My query is:
SELECT DocID, DocCustomerNumber,
DocSessionID, DocTitle, DocKlaser, DocBarcodes
FROM VTblASMCustomersDocsAndGroupCodes
WHERE DocCustomerNumber = #cusNum AND
DocSessionID = #asmNum
Microsoft Access doesn't use named parameters. It uses positional parameters. So the order of the parameters is important when you set the values of the parameters.
Change your query to this:
SELECT DocID, DocCustomerNumber,
DocSessionID, DocTitle, DocKlaser, DocBarcodes
FROM VTblASMCustomersDocsAndGroupCodes
WHERE DocCustomerNumber = ? AND
DocSessionID = ?
Then use this code to pass the parameters:
cmd.Parameters.AddWithValue("param1", param1); // param1 = value of DocCustomerNumber
cmd.Parameters.AddWithValue("param2", param2); // param2 = value of DocSessionID
Exception:
Local variable/parameter ':your-param-name' can only be used within a database procedure.
In MSSQL, the param character is #. In INGRES Database, really is : ? I cannot find official documentation for that...
SELECT * FROM MyIngresTable WHERE MyColumn = :poorParam
C# with Spring.NET AdoTemplate:
IDbParametersBuilder builder = CreateDbParametersBuilder();
builder.Create().Name("poorParam").Type(DbType.Int32).Value(1);
Any help?
Solved!
Just use INTERROGATION without named param, and pass values in order of usage.
string query = "SELECT * FROM MyIngresTable WHERE MyColumn >= ? and OtherColumn = ?";
IDbParametersBuilder builder = CreateDbParametersBuilder();
builder.Create().Type(DbType.Int32).Value(10);
builder.Create().Type(DbType.String).Size(4).Value("test");
IList<YourModelType> data = AdoTemplate.QueryWithRowMapper(
CommandType.Text,
query,
new YourRowMapper<YourModelType>(),
builder.GetParameters()
);
Another tip about Spring.NET AdoTemplate:
using Spring.Data.Common;
using Spring.Data.Generic;
protected virtual IDbParametersBuilder CreateDbParametersBuilder()
{
return new DbParametersBuilder(AdoTemplate.DbProvider);
}
Thanks also, Panagiotis Kanavos.
I am working in C# for the first time in awhile, I have a line of code like this.
SQL = string.Format("PageName = '{0}'", bp.CommandArgument);
I need to know how to secure the object "bp.CommandArgument" from any SQL Injection. Thank you.
Why don't you use sql parameters?
string commandTxt = "SELECT ... FROM ... WHERE PageName=#PageName";
var command = new SqlCommand(commandTxt, connection);
command.Parameters.Add("#PageName", bp.CommandArgument);
I assume that connection is the SqlConnection object you have declared.
string query = #"SELECT ColA, ColXML FROM TableT WHERE ColXML.exist('/SuperNode/Node/SubNode[.=({0})]') = 1";
string param = "''value1'',''value2'',''value3''";
string sQ = string.Format(query, param);
A: dbContext.ExecuteQuery(sQ);
B: dbContext.ExecuteQuery(query, param);
A executes and returns result but B doesn't.
Any reason for this? Also, does the param gets validated for common SQL injection patterns?
Thanks for any pointers!
http://msdn.microsoft.com/en-us/library/system.data.linq.datacontext.executequery.aspx
You are trying to use the overloaded version of ExecuteQuery that receive parameters. Parameters must be passed as an Object array, for example:
object[] param = new Object[] { "value1", "value2", "value3" };
Anyway, your query receives only ONE parameter:
string query = #"SELECT ColA, ColXML FROM TableT WHERE ColXML.exist('/SuperNode/Node/SubNode[.=({0})]') = 1";
It seems that you want to pass a single parameter composed by three xml values. I am not an XQuery expert but you can try this:
object[] param = new Object[] { "''value1'', ''value2'', ''value3''" };
string query = #"SELECT ColA, ColXML FROM TableT WHERE ColXML.exist('/SuperNode/Node/SubNode[.=({0})]') = 1";
For anyone stumbling upon this via google as I did, ExecuteQuery does not simply pass the command and parameters to string.Format as that would create an injection vulnerability.
It replaces the {0}, {1}, ... in the command with "#p0", "#p1" etc, and then adds your parameters as parameters to the sql command. This can be confirmed by setting the .Log property on the data context to see the command actually executed.
So the OP's example doesn't work because
f(x) where x = "a,b,c"
is only equivalent to
f(a,b,c)
if we're doing a straightforward string substitution. If x is a "proper" SQL parameter then it doesn't work.