I'm having issues with using a full text search with an sqldatasource.
<asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:ApplicationServices %>"
SelectCommand="SELECT 1, 2, 3 FROM table WHERE CONTAINS(2, #text)">
<SelectParameters>
<asp:ControlParameter ControlID="tbOCRSearch" Name="text"
Type="String" DefaultValue="" PropertyName="Text" />
</SelectParameters>
This works great if I only put in one search term. However if I put in two terms it throws an error.
However if I put "termone termtwo" in double quotes the query works.
how can I modify my selectcommand to add the doublequotes?
Solved.
Took me a few hours of looking. In the sqldatasource we need to add a OnSelecting event.
<asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:ApplicationServices %>"
SelectCommand="SELECT 1, 2, 3 FROM table WHERE CONTAINS(2, #text)"
OnSelecting="SqlDataSource1_Selecting">
<SelectParameters>
<asp:ControlParameter ControlID="tbOCRSearch" Name="text"
Type="String" DefaultValue="" PropertyName="Text" />
</SelectParameters>
Then in the code behind you'll need one of these. You can then add the quotes around the text.
protected void SqlDataSource1_Selecting(object sender, SqlDataSourceSelectingEventArgs e)
{
e.Command.Parameters["#text"].Value = "\"" + tbOCRSearch.Text + "\"";
}
And now everything works like it should.
Related
I am trying to update my dropdownlistB according to the categoryId chosen in dropdownlistA Using this code:
<asp:DropDownList ID="DropDownListA" runat="server" DataSourceID="SqlDataSourceA" DataTextField="Description" DataValueField="Description" AutoPostBack="True"></asp:DropDownList>
<asp:DropDownList ID="DropDownListB" runat="server" DataSourceID="SqlDataSourceB" DataTextField="Title" DataValueField="Title"></asp:DropDownList>
<asp:SqlDataSource ID="SqlDataSourceA" runat="server" ConnectionString="<%$ ConnectionStrings:MainDbConnectionString1 %>" SelectCommand="SELECT [Description] FROM [BookCategory]"></asp:SqlDataSource>
<asp:SqlDataSource ID="SqlDataSourceB" runat="server" ConnectionString="<%$ ConnectionStrings:MainDbConnectionString1 %>" SelectCommand="SELECT [Title] FROM [BooksInfo] WHERE ([CategoryId] = #CId)">
<SelectParameters>
<asp:QueryStringParameter DefaultValue="" Name="CId" QueryStringField="SELECT [CategoryId] FROM [BookCategory]" Type="Int32" />
</SelectParameters>
</asp:SqlDataSource>
I am new to using SQL and queries in ASP.NET and cant figure out what Im doing wrong, dropdownlistB stays empty. (AutoPostBack = true in dropdownlistA, so it should update?)
I think what you are looking for is the asp:ControlParameter like this
<asp:ControlParameter ControlID="DropDownListA" PropertyName="SelectedValue"
Name="EmpID" Type="Int32" DefaultValue="0" />
So the the query is based on the selection of DropDownListA.
I have a textbox with id = txt_SearchLibrary which is also my controlparameter that I am using to filter my sqldatasource, I want to get all the results when I don't type something in my searchtext box, but below codes results 0 rows. I tried 2 way but both didn't work.
first one:
<asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:MyDbConn %>"
SelectCommand="SELECT * FROM [Books] WHERE ([BookName] LIKE '%' + #searchText + '%') OR #searchText IS NULL">
<SelectParameters>
<asp:ControlParameter ControlID="txt_SearchLibrary" Name="searchText"
PropertyName="Text" Type="String" />
</SelectParameters>
</asp:SqlDataSource>
second one:
<asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:MyDbConn %>"
SelectCommand="SELECT * FROM [Books] WHERE ([BookName] LIKE '%' + #searchText + '%')">
<SelectParameters>
<asp:ControlParameter ControlID="txt_SearchLibrary" DefaultValue="" Name="searchText"
PropertyName="Text" Type="String" />
</SelectParameters>
</asp:SqlDataSource>
The Text property is probably "" or String.Empty, rather than NULL which you're checking for in your SQL statement.
I have a SqlDataSource that calls a stored procedure and it works fine. If I add a <ControlParameter> tag to add an additional argument, then the query never fires and the databinding never occurs. Suggestions?
This works:
<asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:DefaultDB %>"
SelectCommand="SP_WHATEVER" SelectCommandType="StoredProcedure"
UpdateCommand="SP_WHATEVER2" UpdateCommandType="StoredProcedure">
<SelectParameters>
<asp:SessionParameter DefaultValue="" Name="UserName" SessionField="RP_Program" Type="String" />
</SelectParameters>
<UpdateParameters>
<snip...>
</UpdateParameters>
</asp:SqlDataSource>
When I add the ControlParameter, the databinding no longer occurs:
<asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:DefaultDB %>"
SelectCommand="SP_WHATEVER" SelectCommandType="StoredProcedure"
UpdateCommand="SP_WHATEVER2" UpdateCommandType="StoredProcedure">
<SelectParameters>
<asp:SessionParameter DefaultValue="" Name="UserName" SessionField="RP_Program" Type="String" />
<asp:ControlParameter Name="SprocArgName" ControlID="ddlFilter" PropertyName="SelectedValue" Type="String" />
</SelectParameters>
<UpdateParameters>
<snip...>
</UpdateParameters>
</asp:SqlDataSource>
The ControlParameter refers to a valid object on the page. Any other suggestions?
Most likely one of the parameter is empty or null. Add CancelSelectOnNullParameter="false" to the asp:SqlDataSource and ConvertEmptyStringToNull="true" to both parameters. Once it works, tweak the parameters so that SP gets what it expects.
Consider a page, when the page loads, nothing shows up.
It works when i pass the querystring on the browser as this:
http://localhost:51765/foo/foo.aspx?ID=c516f4f4-36a9-40a7-baad-d2419ea631b9
I want it to work when the page load not when i pass the querystring on the browser.
Can someone help me with this?
<asp:SqlDataSource ID="categoriesDataSource" runat="server"
connectionString="<%$ ConnectionStrings:ConnectionString %>"
SelectCommand="SELECT [CategoryID], [Name] FROM [Categories] WHERE ([UserId] = #UserId) ORDER BY [Name]">
<SelectParameters>
<asp:QueryStringParameter Name="UserId" QueryStringField="ID" />
</SelectParameters>
</asp:SqlDataSource>
<asp:DropDownList ID="categories" runat="server" AutoPostBack="True"
DataSourceID="categoriesDataSource" DataTextField="Name"
AppendDataBoundItems="True" DataValueField="CategoryID">
<asp:ListItem Value="">-- All Albums --</asp:ListItem>
</asp:DropDownList>
<asp:SqlDataSource ID="picturesDataSource" runat="server" ConnectionString="<%$ ConnectionStrings:ConnectionString %>"
SelectCommand="SELECT [PictureID], [Title], [UploadedOn] FROM [Pictures] WHERE UserId = #UserId AND
(CategoryID = #CategoryID Or #CategoryID IS NULL) ORDER BY UploadedOn DESC"
CancelSelectOnNullParameter="False">
<SelectParameters>
<asp:ControlParameter ControlID="categories" Name="CategoryID" PropertyName="SelectedValue"/>
<asp:QueryStringParameter Name="UserId" QueryStringField="ID" />
</SelectParameters>
</asp:SqlDataSource>
<asp:GridView ID="GridView1" runat="server" DataSourceID="picturesDataSource">
</asp:GridView>
It is difficult to answer your question without showing the code of the page or at least explaining what it does. From the url it seems that the page relies on the ID parameter and tries to parse it to a Guid. You need to test whether the ID parameter is passed and use it only in this case:
string id = Request["ID"];
if (!string.IsNullOrEmpty(id))
{
// The ID parameter has been passed => use its value here
}
I have the following SQLDataSource:
<asp:SqlDataSource ID="topicSource" runat="server" ConnectionString="<%$ ConnectionStrings"
SelectCommandType="Text" SelectCommand="SELECT * FROM tbl_Topic WHERE TopicId = #TopicId">
<SelectParameters>
<asp:QueryStringParameter Name="TopicId" QueryStringField="id" />
</SelectParameters>
</asp:SqlDataSource>
Does ASP.NET escape the select parameter for me? If not, what do I do to make it safer to prevent injections?
Yes: in this case, you are fully protected from SQL injection. That's the whole point for having SQL parameters in this fashion.