0

Currently the Web API which queries the Oracle DB is returning the result in the JSON in the below format.

[{"CATEGORY":"Internal Study","SESSION_NUMBER":7,"SESSION_START_DATE":"2015-02-13T00:00:00","SESSION_START_TIME":"2015-02-13T10:33:59.288394"}]

Below is the code we are using 

public class SampleController : ApiController
{
  public HttpResponseMessage Getdetails([FromUri] string[] id)
   {
     using (OracleConnection dbconn = new OracleConnection("DATA SOURCE=J;PASSWORD=C;PERSIST SECURITY INFO=True;USER ID=T"))
      {
     var inconditions = id.Distinct().ToArray();
    var srtcon = string.Join(",", inconditions);
    DataSet userDataset = new DataSet();
    var strQuery = @"SELECT * from STCD_PRIO_CATEGORY where STPR_STUDY.STD_REF IN(" + srtcon + ")";
    OracleCommand selectCommand = new OracleCommand(strQuery, dbconn);
    OracleDataAdapter adapter = new OracleDataAdapter(selectCommand);
    DataTable selectResults = new DataTable();
    adapter.Fill(selectResults);
    var response = Request.CreateResponse(HttpStatusCode.OK, selectResults,MediaTypeHeaderValue.Parse("application/json"));
    ContentDispositionHeaderValue contentDisposition = null;
    if (ContentDispositionHeaderValue.TryParse("inline; filename=ProvantisStudyData.json", out contentDisposition))
    {
       response.Content.Headers.ContentDisposition = contentDisposition;
    }
    return response;
 }
}

But the Client which has the Script which consumes the file says that JSON structure being an array instead of an object is a security hole. 

  {"data":[{"CATEGORY":"Internal Study","SESSION_NUMBER":7,"SESSION_START_DATE":"2015-02-13T00:00:00","SESSION_START_TIME":"2015-02-13T10:33:59.288394"}]}

I am new to this JSON structure and not sure how we will be manipulate the returned data as an object in JSON File

Improve this question
9
  • What do you mean by "client" here? Who says this is a security hole? Commented Jul 31, 2016 at 23:55
  • I see that the top one is the returned one now, the bottom one is what you want :P The security hole is that a top level JSON array can be hijacked as it is a valid JavaScript script, where as a JSON object is not. Commented Aug 1, 2016 at 0:00
  • @starlight54 Are you sure? stackoverflow.com/questions/16289894/… Commented Aug 1, 2016 at 0:06
  • @starlight54 Exactly. The top one is currently being returned as an array but the data will be executed in the browser as part of a script. They want now as an object Commented Aug 1, 2016 at 0:08
  • @DavidG There'll be a douche somewhere who's still running an ancient browser on Windows ME, of course it's their fault then, but it's a minor inconvenience to avoid the use of top level JSON arrays, and because they're valid JS, other vulnerabilities could be found or introduced later. Commented Aug 1, 2016 at 0:22

1 Answer 1

Reset to default
4

I haven't heard of any security issue around an array within the JSON, however if you need to convert it to a JSON object you could use a generic object that you define:

var returnObject = new
{
    selectResults = selectResults
};

This will add the JSON object wrapping you want onto the response, which you can then use this code to build your response:

var response = Request.CreateResponse(HttpStatusCode.OK, returnObject,MediaTypeHeaderValue.Parse("application/json"));

Sorry if I have misunderstood what you are asking for - hope this helps/works.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thank you. But do we assign selectResults to itself? Also it says type expected in the new()
Sorry, the code I provided had an extra '()' in it after the 'new' - this isn't needed; I have amended my solution to fix this and it should work now, I tested it out myself. Also - the 'selectResults' that is being assigned to in the new object will be the name of the JSON property; in " {"data":[{"CATEGORY":"Internal Study","SESSION_NUMBER":7,"SESSION_START_DATE":"2015-02-13T00:00:00","SESSION_START_TIME":"2015-02-13T10:33:59.288394"}]} " it would be in the position the 'data' tag is.
Almost there, to change the name to data change your code to the following: var returnObject = new { data = selectResults }; this will change the name of the JSON object to 'data'

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.