I have the following SQLDataSource:
<asp:SqlDataSource ID="topicSource" runat="server" ConnectionString="<%$ ConnectionStrings"
SelectCommandType="Text" SelectCommand="SELECT * FROM tbl_Topic WHERE TopicId = #TopicId">
<SelectParameters>
<asp:QueryStringParameter Name="TopicId" QueryStringField="id" />
</SelectParameters>
</asp:SqlDataSource>
Does ASP.NET escape the select parameter for me? If not, what do I do to make it safer to prevent injections?
Yes: in this case, you are fully protected from SQL injection. That's the whole point for having SQL parameters in this fashion.
Related
I'm having issues with using a full text search with an sqldatasource.
<asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:ApplicationServices %>"
SelectCommand="SELECT 1, 2, 3 FROM table WHERE CONTAINS(2, #text)">
<SelectParameters>
<asp:ControlParameter ControlID="tbOCRSearch" Name="text"
Type="String" DefaultValue="" PropertyName="Text" />
</SelectParameters>
This works great if I only put in one search term. However if I put in two terms it throws an error.
However if I put "termone termtwo" in double quotes the query works.
how can I modify my selectcommand to add the doublequotes?
Solved.
Took me a few hours of looking. In the sqldatasource we need to add a OnSelecting event.
<asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:ApplicationServices %>"
SelectCommand="SELECT 1, 2, 3 FROM table WHERE CONTAINS(2, #text)"
OnSelecting="SqlDataSource1_Selecting">
<SelectParameters>
<asp:ControlParameter ControlID="tbOCRSearch" Name="text"
Type="String" DefaultValue="" PropertyName="Text" />
</SelectParameters>
Then in the code behind you'll need one of these. You can then add the quotes around the text.
protected void SqlDataSource1_Selecting(object sender, SqlDataSourceSelectingEventArgs e)
{
e.Command.Parameters["#text"].Value = "\"" + tbOCRSearch.Text + "\"";
}
And now everything works like it should.
Sorry I am new to this, but heres what I'm trying to do.
This is what I currently have
<asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:ConnectionString %>" SelectCommand="SELECT * FROM [Products]"></asp:SqlDataSource>
but what Im trying to do is this
SELECT * FROM [Products] WHERE category = categorylabel.Text
I have a column in my database called category, and I want only the data thats category type matches a category in a hidden label (or a session) called categorylabel.Text to do this, the label gets updated with the session. It may be unncessary but I couldnt think of how else to do it.
So how would I go about using my session, to make the SqlDataSource1 only display the data in the Products database that has a category matching that session?
Thanks a lot for the help!
Try this one:
<asp:SqlDataSource ID="SqlDataSource1"
runat="server"
ConnectionString="<%$ ConnectionStrings:ConnectionString %>"
SelectCommand="SELECT * FROM [Products] WHERE category=#category">
<SelectParameters>
<asp:ControlParameter ControlID="categorylabel" Name="category" PropertyName="Text" Type="String" />
</SelectParameters>
</asp:SqlDataSource>
I want to pass session value from .aspx code , i.e the source code of the web
<asp:SqlDataSource ID="SqlDataSource1" runat="server"
ConnectionString="<%$ ConnectionStrings:ConnectionString %>"
SelectCommand="SELECT Album.AlbumID, Album.DefaultPhotID, Album.AlbumName, PhotAlbum.Photo FROM Album INNER JOIN PhotAlbum ON Album.DefaultPhotID = PhotAlbum.PhotoID where userid=<% Session["UserId"] %>">
</asp:SqlDataSource>
I am doubtful if this code will work.
Use SessionParameter with SelectParameters to pass Session values
MSDN Doc
<asp:SqlDataSource ID="SqlDataSource1" runat="server"
ConnectionString="<%$ ConnectionStrings:ConnectionString %>"
SelectCommand="SELECT Album.AlbumID, Album.DefaultPhotID, Album.AlbumName, PhotAlbum.Photo FROM Album INNER JOIN PhotAlbum ON Album.DefaultPhotID = PhotAlbum.PhotoID where userid=#userid">
<SelectParameters>
<asp:SessionParameter Name="userid" Type="String" SessionField="UserId" />
</SelectParameters>
</asp:SqlDataSource>
Here's a dropdown list I have...
<asp:DropDownList
ID="selectTimeFrame"
runat="server"
AutoPostBack="true"
DataTextField="Increment"
DataValueField="Increment"
DataSourceID="SqlTimeFrame"
</asp:DropDownList>
And its datasource:
<asp:SqlDataSource
ID="SqlTimeFrame"
runat="server"
ConnectionString="<% connectionstring %>"
SelectCommand="Select [IncrementID], [Increment] FROM [TimeFrame] ORDER BY [IncrementID]" >
</asp:SqlDataSource>
and then I have a gridview, whos datasource looks like:
<asp:SqlDataSource ID="SqlDataSource2" runat="server" ConnectionString="<% connectinstring %>"
ProviderName="<% connectionstring %>"
SelectCommand="SELECT * FROM #TimeFrame">
<SelectParameters>
<asp:ControlParameter ControlID="selectTimeFrame"
Name="TimeFrame"
PropertyName="SelectedValue"
Type="String" />
</SelectParameters>
And obviously the place where I'm having problems is the fact that " FROM #TimeFrame " doesn't do what I want to. I have Different views whose names correspond to different timeframes, and I want to be able to change the gridview to populate with that information based off of the option a user selects via the dropdown menu. Any insight would be much appreciated... THANKS!! :D
You could use dynamic SQL to achieve what you're looking for although you would need to test this very thorughly to prevent SQL injection attacks as we can never trust the input being received from users.
I've created a simple stored proc which checks whether the table exists in the db and if so it constructs and executes your dynamic SQL statement:
Stored procedure:
CREATE PROCEDURE dbo.GetData
#TableName NVARCHAR(200)
AS
BEGIN
IF OBJECT_ID(#TableName , N'U') IS NOT NULL
BEGIN
EXEC('SELECT * FROM ' + #TableName);
END
END
ASPX:
<asp:DropDownList ID="selectTimeFrame" runat="server" AutoPostBack="true" DataTextField="Increment"
DataValueField="Increment" DataSourceID="SqlTimeFrame" />
<asp:SqlDataSource ID="SqlTimeFrame" runat="server" ConnectionString="<%$ ConnectionStrings:connectionstring %>"
SelectCommand="Select [IncrementID], [Increment] FROM [TimeFrame] ORDER BY [IncrementID]">
</asp:SqlDataSource>
<asp:SqlDataSource ID="dynamicDS" runat="server" ConnectionString="<%$ ConnectionStrings:connectionstring %>"
SelectCommand="GetData" SelectCommandType="StoredProcedure">
<SelectParameters>
<asp:ControlParameter ControlID="selectTimeFrame" Name="TableName" PropertyName="SelectedValue"
Type="String" />
</SelectParameters>
</asp:SqlDataSource>
<asp:GridView ID="gvData" DataSourceID="dynamicDS" runat="server">
</asp:GridView>
I am using the stored procedure below for the select command of a SqlDataSource, and I'm trying to pass a query string parameter, but I get this error:
Procedure or function 'ActivationCampaignGetById' expects parameter '#campaignId', which was not supplied.
The parameter is present in the query string:
http://localhost:62681/Activations/ActivationCampaignDetails.aspx?id=98
Here is my DataSource code:
<asp:SqlDataSource ID="campaignDataSource" runat="server" ConflictDetection="CompareAllValues"
ConnectionString="<%$ ConnectionStrings:ProVantageMediaManagement %>"
SelectCommand="ActivationCampaignGetById" SelectCommandType="StoredProcedure">
<SelectParameters>
<asp:QueryStringParameter DefaultValue="98" Name="campaignId"
QueryStringField="id" Type="Int32" />
</SelectParameters>
</asp:SqlDataSource>
And my stored procedure declaration:
ALTER procedure [dbo].[ActivationCampaignGetById]
#campaignId int
as
select
Not sure this will helps, but you need to set the parameter direction to Input:
<asp:QueryStringParameter DefaultValue="98" Name="campaignId"
Direction="Input" QueryStringField="id" Type="Int32" />