current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Dismiss
Announcing Stack Overflow Documentation

We started with Q&A. Technical documentation is next, and we need your help.

Whether you're a beginner or an experienced developer, you can contribute.

Sign up and start helping → Learn more about Documentation →
up vote 0 down vote favorite

Currently the Web API which queries the Oracle DB is returning the result in the JSON in the below format.

[{"CATEGORY":"Internal Study","SESSION_NUMBER":7,"SESSION_START_DATE":"2015-02-13T00:00:00","SESSION_START_TIME":"2015-02-13T10:33:59.288394"}]

Below is the code we are using 

public class SampleController : ApiController
{
  public HttpResponseMessage Getdetails([FromUri] string[] id)
   {
     using (OracleConnection dbconn = new OracleConnection("DATA SOURCE=J;PASSWORD=C;PERSIST SECURITY INFO=True;USER ID=T"))
      {
     var inconditions = id.Distinct().ToArray();
    var srtcon = string.Join(",", inconditions);
    DataSet userDataset = new DataSet();
    var strQuery = @"SELECT * from STCD_PRIO_CATEGORY where STPR_STUDY.STD_REF IN(" + srtcon + ")";
    OracleCommand selectCommand = new OracleCommand(strQuery, dbconn);
    OracleDataAdapter adapter = new OracleDataAdapter(selectCommand);
    DataTable selectResults = new DataTable();
    adapter.Fill(selectResults);
    var response = Request.CreateResponse(HttpStatusCode.OK, selectResults,MediaTypeHeaderValue.Parse("application/json"));
    ContentDispositionHeaderValue contentDisposition = null;
    if (ContentDispositionHeaderValue.TryParse("inline; filename=ProvantisStudyData.json", out contentDisposition))
    {
       response.Content.Headers.ContentDisposition = contentDisposition;
    }
    return response;
 }
}

But the Client which has the Script which consumes the file says that JSON structure being an array instead of an object is a security hole. 

  {"data":[{"CATEGORY":"Internal Study","SESSION_NUMBER":7,"SESSION_START_DATE":"2015-02-13T00:00:00","SESSION_START_TIME":"2015-02-13T10:33:59.288394"}]}

I am new to this JSON structure and not sure how we will be manipulate the returned data as an object in JSON File

share|improve this question
    
What do you mean by "client" here? Who says this is a security hole? – DavidG Jul 31 at 23:55
    
I see that the top one is the returned one now, the bottom one is what you want :P The security hole is that a top level JSON array can be hijacked as it is a valid JavaScript script, where as a JSON object is not. – starlight54 Aug 1 at 0:00
    
@starlight54 Are you sure? stackoverflow.com/questions/16289894/… – DavidG Aug 1 at 0:06
    
@starlight54 Exactly. The top one is currently being returned as an array but the data will be executed in the browser as part of a script. They want now as an object – trx Aug 1 at 0:08
    
@DavidG There'll be a douche somewhere who's still running an ancient browser on Windows ME, of course it's their fault then, but it's a minor inconvenience to avoid the use of top level JSON arrays, and because they're valid JS, other vulnerabilities could be found or introduced later. – starlight54 Aug 1 at 0:22
up vote 2 down vote accepted

I haven't heard of any security issue around an array within the JSON, however if you need to convert it to a JSON object you could use a generic object that you define:

var returnObject = new
{
    selectResults = selectResults
};

This will add the JSON object wrapping you want onto the response, which you can then use this code to build your response:

var response = Request.CreateResponse(HttpStatusCode.OK, returnObject,MediaTypeHeaderValue.Parse("application/json"));

Sorry if I have misunderstood what you are asking for - hope this helps/works.

share|improve this answer
    
Thank you. But do we assign selectResults to itself? Also it says type expected in the new() – trx Aug 1 at 12:47
    
Sorry, the code I provided had an extra '()' in it after the 'new' - this isn't needed; I have amended my solution to fix this and it should work now, I tested it out myself. Also - the 'selectResults' that is being assigned to in the new object will be the name of the JSON property; in " {"data":[{"CATEGORY":"Internal Study","SESSION_NUMBER":7,"SESSION_START_DATE":"2015-02-13T0‌​0:00:00","SESSION_ST‌​ART_TIME":"2015-02-1‌​3T10:33:59.288394"}]‌​} " it would be in the position the 'data' tag is. – jthomperoo Aug 1 at 13:00
    
Almost there, to change the name to data change your code to the following: var returnObject = new { data = selectResults }; this will change the name of the JSON object to 'data' – jthomperoo Aug 1 at 13:49

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.