Sorry I am new to this, but heres what I'm trying to do.
This is what I currently have
<asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:ConnectionString %>" SelectCommand="SELECT * FROM [Products]"></asp:SqlDataSource>
but what Im trying to do is this
SELECT * FROM [Products] WHERE category = categorylabel.Text
I have a column in my database called category, and I want only the data thats category type matches a category in a hidden label (or a session) called categorylabel.Text to do this, the label gets updated with the session. It may be unncessary but I couldnt think of how else to do it.
So how would I go about using my session, to make the SqlDataSource1 only display the data in the Products database that has a category matching that session?
Thanks a lot for the help!
Try this one:
<asp:SqlDataSource ID="SqlDataSource1"
runat="server"
ConnectionString="<%$ ConnectionStrings:ConnectionString %>"
SelectCommand="SELECT * FROM [Products] WHERE category=#category">
<SelectParameters>
<asp:ControlParameter ControlID="categorylabel" Name="category" PropertyName="Text" Type="String" />
</SelectParameters>
</asp:SqlDataSource>
Related
I'm having issues with using a full text search with an sqldatasource.
<asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:ApplicationServices %>"
SelectCommand="SELECT 1, 2, 3 FROM table WHERE CONTAINS(2, #text)">
<SelectParameters>
<asp:ControlParameter ControlID="tbOCRSearch" Name="text"
Type="String" DefaultValue="" PropertyName="Text" />
</SelectParameters>
This works great if I only put in one search term. However if I put in two terms it throws an error.
However if I put "termone termtwo" in double quotes the query works.
how can I modify my selectcommand to add the doublequotes?
Solved.
Took me a few hours of looking. In the sqldatasource we need to add a OnSelecting event.
<asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:ApplicationServices %>"
SelectCommand="SELECT 1, 2, 3 FROM table WHERE CONTAINS(2, #text)"
OnSelecting="SqlDataSource1_Selecting">
<SelectParameters>
<asp:ControlParameter ControlID="tbOCRSearch" Name="text"
Type="String" DefaultValue="" PropertyName="Text" />
</SelectParameters>
Then in the code behind you'll need one of these. You can then add the quotes around the text.
protected void SqlDataSource1_Selecting(object sender, SqlDataSourceSelectingEventArgs e)
{
e.Command.Parameters["#text"].Value = "\"" + tbOCRSearch.Text + "\"";
}
And now everything works like it should.
I want to pass session value from .aspx code , i.e the source code of the web
<asp:SqlDataSource ID="SqlDataSource1" runat="server"
ConnectionString="<%$ ConnectionStrings:ConnectionString %>"
SelectCommand="SELECT Album.AlbumID, Album.DefaultPhotID, Album.AlbumName, PhotAlbum.Photo FROM Album INNER JOIN PhotAlbum ON Album.DefaultPhotID = PhotAlbum.PhotoID where userid=<% Session["UserId"] %>">
</asp:SqlDataSource>
I am doubtful if this code will work.
Use SessionParameter with SelectParameters to pass Session values
MSDN Doc
<asp:SqlDataSource ID="SqlDataSource1" runat="server"
ConnectionString="<%$ ConnectionStrings:ConnectionString %>"
SelectCommand="SELECT Album.AlbumID, Album.DefaultPhotID, Album.AlbumName, PhotAlbum.Photo FROM Album INNER JOIN PhotAlbum ON Album.DefaultPhotID = PhotAlbum.PhotoID where userid=#userid">
<SelectParameters>
<asp:SessionParameter Name="userid" Type="String" SessionField="UserId" />
</SelectParameters>
</asp:SqlDataSource>
Here's a dropdown list I have...
<asp:DropDownList
ID="selectTimeFrame"
runat="server"
AutoPostBack="true"
DataTextField="Increment"
DataValueField="Increment"
DataSourceID="SqlTimeFrame"
</asp:DropDownList>
And its datasource:
<asp:SqlDataSource
ID="SqlTimeFrame"
runat="server"
ConnectionString="<% connectionstring %>"
SelectCommand="Select [IncrementID], [Increment] FROM [TimeFrame] ORDER BY [IncrementID]" >
</asp:SqlDataSource>
and then I have a gridview, whos datasource looks like:
<asp:SqlDataSource ID="SqlDataSource2" runat="server" ConnectionString="<% connectinstring %>"
ProviderName="<% connectionstring %>"
SelectCommand="SELECT * FROM #TimeFrame">
<SelectParameters>
<asp:ControlParameter ControlID="selectTimeFrame"
Name="TimeFrame"
PropertyName="SelectedValue"
Type="String" />
</SelectParameters>
And obviously the place where I'm having problems is the fact that " FROM #TimeFrame " doesn't do what I want to. I have Different views whose names correspond to different timeframes, and I want to be able to change the gridview to populate with that information based off of the option a user selects via the dropdown menu. Any insight would be much appreciated... THANKS!! :D
You could use dynamic SQL to achieve what you're looking for although you would need to test this very thorughly to prevent SQL injection attacks as we can never trust the input being received from users.
I've created a simple stored proc which checks whether the table exists in the db and if so it constructs and executes your dynamic SQL statement:
Stored procedure:
CREATE PROCEDURE dbo.GetData
#TableName NVARCHAR(200)
AS
BEGIN
IF OBJECT_ID(#TableName , N'U') IS NOT NULL
BEGIN
EXEC('SELECT * FROM ' + #TableName);
END
END
ASPX:
<asp:DropDownList ID="selectTimeFrame" runat="server" AutoPostBack="true" DataTextField="Increment"
DataValueField="Increment" DataSourceID="SqlTimeFrame" />
<asp:SqlDataSource ID="SqlTimeFrame" runat="server" ConnectionString="<%$ ConnectionStrings:connectionstring %>"
SelectCommand="Select [IncrementID], [Increment] FROM [TimeFrame] ORDER BY [IncrementID]">
</asp:SqlDataSource>
<asp:SqlDataSource ID="dynamicDS" runat="server" ConnectionString="<%$ ConnectionStrings:connectionstring %>"
SelectCommand="GetData" SelectCommandType="StoredProcedure">
<SelectParameters>
<asp:ControlParameter ControlID="selectTimeFrame" Name="TableName" PropertyName="SelectedValue"
Type="String" />
</SelectParameters>
</asp:SqlDataSource>
<asp:GridView ID="gvData" DataSourceID="dynamicDS" runat="server">
</asp:GridView>
Consider a page, when the page loads, nothing shows up.
It works when i pass the querystring on the browser as this:
http://localhost:51765/foo/foo.aspx?ID=c516f4f4-36a9-40a7-baad-d2419ea631b9
I want it to work when the page load not when i pass the querystring on the browser.
Can someone help me with this?
<asp:SqlDataSource ID="categoriesDataSource" runat="server"
connectionString="<%$ ConnectionStrings:ConnectionString %>"
SelectCommand="SELECT [CategoryID], [Name] FROM [Categories] WHERE ([UserId] = #UserId) ORDER BY [Name]">
<SelectParameters>
<asp:QueryStringParameter Name="UserId" QueryStringField="ID" />
</SelectParameters>
</asp:SqlDataSource>
<asp:DropDownList ID="categories" runat="server" AutoPostBack="True"
DataSourceID="categoriesDataSource" DataTextField="Name"
AppendDataBoundItems="True" DataValueField="CategoryID">
<asp:ListItem Value="">-- All Albums --</asp:ListItem>
</asp:DropDownList>
<asp:SqlDataSource ID="picturesDataSource" runat="server" ConnectionString="<%$ ConnectionStrings:ConnectionString %>"
SelectCommand="SELECT [PictureID], [Title], [UploadedOn] FROM [Pictures] WHERE UserId = #UserId AND
(CategoryID = #CategoryID Or #CategoryID IS NULL) ORDER BY UploadedOn DESC"
CancelSelectOnNullParameter="False">
<SelectParameters>
<asp:ControlParameter ControlID="categories" Name="CategoryID" PropertyName="SelectedValue"/>
<asp:QueryStringParameter Name="UserId" QueryStringField="ID" />
</SelectParameters>
</asp:SqlDataSource>
<asp:GridView ID="GridView1" runat="server" DataSourceID="picturesDataSource">
</asp:GridView>
It is difficult to answer your question without showing the code of the page or at least explaining what it does. From the url it seems that the page relies on the ID parameter and tries to parse it to a Guid. You need to test whether the ID parameter is passed and use it only in this case:
string id = Request["ID"];
if (!string.IsNullOrEmpty(id))
{
// The ID parameter has been passed => use its value here
}
I have the following SQLDataSource:
<asp:SqlDataSource ID="topicSource" runat="server" ConnectionString="<%$ ConnectionStrings"
SelectCommandType="Text" SelectCommand="SELECT * FROM tbl_Topic WHERE TopicId = #TopicId">
<SelectParameters>
<asp:QueryStringParameter Name="TopicId" QueryStringField="id" />
</SelectParameters>
</asp:SqlDataSource>
Does ASP.NET escape the select parameter for me? If not, what do I do to make it safer to prevent injections?
Yes: in this case, you are fully protected from SQL injection. That's the whole point for having SQL parameters in this fashion.