Going to next page - Level Extreme

Level Extreme platform

Subscription

Corporate profile

Products & Services

Support

Legal

Français

Going to next page

Message

From

05/10/2009 12:56:38

Rich Pupko
Retired
Henderson, Nevada, United States

02/10/2009 22:00:35

Paul Mrozowski
Rcs Solutions, Inc.
Macomb, Michigan, United States

General information

Forum:

ASP.NET

Category:

Other

Title:

Re: Going to next page

Miscellaneous

Thread ID:

01427461

Message ID:

01427767

Views:

>>Using what I think of as the Form Designer in Visual Studio.......
>>
>>I dropped a GridView, TextBox, and Button on the form. The grid uses a DataSource name MySql. The code page shows

>>Partial Class _Default
>>    Inherits System.Web.UI.Page
>> 
>>   Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click
>>        MySql.SelectCommand = "Select * from test_sched_saves where testresource like '" & TextBox1.Text & "%'"
>>    End Sub
>>
>>End Class

>>
>
>A few things:
>
>Concatinating SQL strings is a bad idea - it opens your code up to SQL injection attacks (imagine someone typing actual SQL commands into the textbox and what that does to your SQL command).
>
I'm pretty sure I understand what you're saying here, but I'd appreciate it if you could expand a bit about the danger for this particular piece of code. Unless there is some macro expansion I don't know about, what could a user type that would cause some sort of problem. I have, after all, hard coded the apostrophe's for the LIKE operation and my assumption was that anything the user types would be passed and examined as a string and not be evaluated. What kind of thing could be entered that would cause a problem.

>The web page is stateless (it treats each request as though it were the first time the page was running), although ASP.NET plays some games to hide this fact from you. That means when you click on a page # it posts back to the page and reruns the SelectCommand that is in your SqlDataSource. When you change it via the Click event it only changes it for that single postback (which is why it's "lost" when you then click on the page #).
>

Thanks for this. My assumption had been that I was doing the equivalent of changing the recordsource and issuing a requery(). I'll try what you've shown and see how far I can get from there.

Thanks..........Rich

>You can address both issues by changing the initial SelectCommand in your ASPX page to something like this:
>
>

>(missing code here)
>SelectCommand="Select * from test_sched_saves where testresource like @Resource" onselecting="SqlDataSource1_Selecting"
><SelectParameters
>  <asp:FormParameter Name="Resource" /
></SelectParameters
>

>
>Then change your button click to:
>
>

> Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click
>   Me.GridView1.DataBind()
> End Sub
>

>
>And you'll need to add a handler for the Selecting event
>
>

>Protected Sub SqlDataSource1_Selecting(ByVal sender As Object, ByVal e As SqlDataSourceSelectingEventArgs) Handles SqlDataSource1.Selecting
>   e.Command.Parameters("@Code").Value = TextBox1.Text & "%"
>End Sub
>

>
>(hopefully that code works, I usually use C# so my VB is pretty rusty)
>
>Essentially what you're doing in the button click is forcing the grid to requery it's data source. Any time the SQL datasource is requeried our code in SqlDataSource1_Selecting is called. We fill in the parameter with the value from the textbox (you may need to rename these things to match your controls). By using a parameter here we avoid the whole SQL injection issue.
>
>HTH

Map

View

Click here to load this message in the networking platform