Going to next page - Level Extreme

Plateforme Level Extreme

Abonnement

Profil corporatif

Produits & Services

Support

Légal

English

Going to next page

Message

04/10/2009 09:45:38

Naomi Nosonovsky
Wisconsin, États-Unis

02/10/2009 22:00:35

Paul Mrozowski
Rcs Solutions, Inc.
Macomb, Michigan, États-Unis

Information générale

Forum:

ASP.NET

Catégorie:

Autre

Titre:

Re: Going to next page

Divers

Thread ID:

01427461

Message ID:

01427579

Vues:

>>Using what I think of as the Form Designer in Visual Studio.......
>>
>>I dropped a GridView, TextBox, and Button on the form. The grid uses a DataSource name MySql. The code page shows

>>Partial Class _Default
>>    Inherits System.Web.UI.Page
>> 
>>   Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click
>>        MySql.SelectCommand = "Select * from test_sched_saves where testresource like '" & TextBox1.Text & "%'"
>>    End Sub
>>
>>End Class

>>
>
>A few things:
>
>Concatinating SQL strings is a bad idea - it opens your code up to SQL injection attacks (imagine someone typing actual SQL commands into the textbox and what that does to your SQL command).
>
>The web page is stateless (it treats each request as though it were the first time the page was running), although ASP.NET plays some games to hide this fact from you. That means when you click on a page # it posts back to the page and reruns the SelectCommand that is in your SqlDataSource. When you change it via the Click event it only changes it for that single postback (which is why it's "lost" when you then click on the page #).
>
>You can address both issues by changing the initial SelectCommand in your ASPX page to something like this:
>
>

>(missing code here)
>SelectCommand="Select * from test_sched_saves where testresource like @Resource" onselecting="SqlDataSource1_Selecting"
><SelectParameters
>  <asp:FormParameter Name="Resource" /
></SelectParameters
>

>
>Then change your button click to:
>
>

> Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click
>   Me.GridView1.DataBind()
> End Sub
>

>
>And you'll need to add a handler for the Selecting event
>
>

>Protected Sub SqlDataSource1_Selecting(ByVal sender As Object, ByVal e As SqlDataSourceSelectingEventArgs) Handles SqlDataSource1.Selecting
>   e.Command.Parameters("@Code").Value = TextBox1.Text & "%"
>End Sub
>

>
>(hopefully that code works, I usually use C# so my VB is pretty rusty)
>
>Essentially what you're doing in the button click is forcing the grid to requery it's data source. Any time the SQL datasource is requeried our code in SqlDataSource1_Selecting is called. We fill in the parameter with the value from the textbox (you may need to rename these things to match your controls). By using a parameter here we avoid the whole SQL injection issue.
>
>HTH

Paul,

In the selecting event you meant

Protected Sub SqlDataSource1_Selecting(ByVal sender As Object, ByVal e As SqlDataSourceSelectingEventArgs) Handles SqlDataSource1.Selecting
   e.Command.Parameters("@Resource").Value = TextBox1.Text
End Sub

Also I would put % in the SelectCommand instead.

If it's not broken, fix it until it is.

My Blog

Répondre

Fil

Voir

Click here to load this message in the networking platform