Correct method to write to WEB API?

7

I did a test using a method this way, test using PostMan is worked, I wanted to know if this way I can have some problem.

No Controller

//http://localhost:1608/api/ApiGuiaCidade/cadastrar/cliente/jose/02-02-2015/[email protected]/124546
[HttpPost]
[Route("cadastrar/cliente/{nome}/{datanascimento}/{email}/{senha}")]
public HttpResponseMessage clienteCadastro(string nome,DateTime datanascimento,string email,string senha)
{
    try
    {
        var tCliente  = new ClienteAplicacao();
        tCliente.Inseri(nome,datanascimento,email,senha);
        return Request.CreateResponse(HttpStatusCode.OK, "Cadastro do cliente  " + nome + "  realizado.");
    }
    catch (Exception ex )
    {

        return Request.CreateResponse(HttpStatusCode.BadRequest, ex.Message);
    }
}

in app:

public void Inseri(string nome, DateTime datanascimento, string email, string senha)
{
    var strQuery = "";
    strQuery += "INSERT INTO CLIENTES (NOME, DATA_NASCIMENTO,EMAIL, SENHA)";
    strQuery += string.Format(" VALUES ('{0}','{1}','{2}','{3}' )", nome, datanascimento, email, senha);

    using (contexto = new Contexto())
    {
        contexto.ExecutaComando(strQuery);
    }
}
    
asked by anonymous 07.12.2015 / 01:10

1 answer

1

Come on,

When you have a request to persist something, you should take some precautions and adopt some good practices to avoid any problems. In the case of a POST request to persist something, you may well send the data in the request body, which exists just for this. On the ASP.NET web api side, you can create a class that does the Binding of this data and deliver an object ready for you to work, for example.

public class ClienteDto
{
    public string Nome { get; set; },

    public DateTime DataNascimento { get; set; }

    public string Email { get; set; }

    public string Senha { get; set; }
}

In your API method, you could receive an object of this type.

[HttpPost]
[Route("cadastrar/cliente")]
public HttpResponseMessage clienteCadastro(ClientDto clienteDto)
{
    // passe o objeto DTO para a cada de negócios...

    return Request.CreateResponse(HttpStatusCode.OK);  
}

Remember that by doing this, you must pass the data in the Body Request of your request, this could be done using the format json , for example:

{
   Nome: "João",
   DataNascimento: "2000-01-05",
   Email: "[email protected]",
   Senha: "123456"
}
  

Note: If you can encrypt the password to traffic this in your request,   is a security recommendation.

Arriving at the layer that will persist, I noticed that in your code, you use ADO.Net. There are no issues with this, however, be careful what some colleagues commented on in your question, about SQL Injection. Depending on how you build an instance of IDbCommand and add parameters, you run the risk of having an unwanted command running in your database. You could try something like this:

public void Inserir(ClientDto clienteDto)
{
    var strQuery = "@"INSERT INTO CLIENTES (NOME, DATA_NASCIMENTO,EMAIL, SENHA) VALUES (@nome, @datanascimento, @email, @senha)"

    using (var conexao = new Conexao())
    {
            var parametros = List<SqlParameter>();

            var nomeParametro = new SqlParameter("@nome", SqlDbType.VarChar);
            nomeParametro.Value = clienteDto.Nome;

            parametros.Add(nomeParametro)

            // adicione outros parametros nesta lista


            // implement uma sobrecarga que adicione os parametros ao seu Command neste método!
            contexto.ExecutaComando(strQuery, parametros);
    }   
}

I hope it helps.

    
11.12.2015 / 17:08