Get value instead of whole query

Question

I want to get the value of the Encrypted password into a string variable. but I am getting the whole query.

Here is my code:-

string strpassword = "select  sys.get_enc_val ('" + txtpassword.Text + "', 'F20FA982B4C2C675')  from dual";
    Response.Write(strpassword);

In strpassword i get the whole query.

But in Toad the result is as

F52377D5FFB1A47F

how to get that in oracle?

**[Possible SQL Injection](https://msdn.microsoft.com/en-us/library/ms161953%28v=sql.105%29.aspx)** — Lukasz Szozda, Jan 13 '16 at 13:03
@lad2025: I am aware of that, but how to get the value. any idea ? — Nad, Jan 13 '16 at 13:03
`strpassword` is just a string. You need to open connection to DB, execute SQL, and read returned values — Lukasz Szozda, Jan 13 '16 at 13:04
@lad2025: yes it is a string, i want the `encrypted` value which the function will create — Nad, Jan 13 '16 at 13:04
Never mind the obvious SQL injection, you can't get a query's results if you don't execute it. This code simply returns the *query text* to the user. If you really need to find how to execute queries in ASP.NET, check any ADO.NET tutorial — Panagiotis Kanavos, Jan 13 '16 at 13:04

Rahul Tripathi · Accepted Answer · 2016-01-13T13:22:11.930

When you write

string strpassword = "select  sys.get_enc_val ('" + txtpassword.Text + "', 'F20FA982B4C2C675')  from dual";
Response.Write(strpassword);

Then you are simply displaying the string value as you are not executing the SQL which is present inside the string.

What you are looking for is the result of the SQL which is present inside the string. To get the result of the SQL stored inside the string you need to execute it.

You can try like this:

string queryString = "select  sys.get_enc_val ('" + txtpassword.Text + "', 'F20FA982B4C2C675')  from dual";
    using (SqlConnection connection = new SqlConnection(connectionString))
    {
        SqlCommand command = new SqlCommand(queryString, connection);
        connection.Open();
        SqlDataReader reader = command.ExecuteReader();
        try
        {
            while (reader.Read())
            {
                Console.WriteLine(String.Format("{0}",reader[0]));
            }
        }
        finally
        {
            reader.Close();
        }
    }

As commented above, your query is prone to SQL Injection. A better way is to use paramterized query to get rid of it. Something like

string sql = "select  sys.get_enc_val (@myvar) from dual";
SqlConnection connection = new SqlConnection(/* connection info */);
SqlCommand command = new SqlCommand(sql, connection);

command.Parameters.AddWithValue("myvar", txtpassword.Text);

getting error as `Index was outside the bounds of the array.` — Nad, Jan 13 '16 at 13:18

Get value instead of whole query

1 Answers1