Prev: nesting gridviews programmatically
Next: display 3 columns of 50 rows in stead of 1 column per row in Gridview/Repeater/Listview/Datalist
From: gerryR on 17 Mar 2010 06:25 Hi All i have a simple aspx page (vb) that pulls info out of an excel sheet. I'm trying to pass a condition through a link to narrow down the results. Basically we have 4 areas and rether than have 4 seperate pages I'd like to have 4 links instead. At the min my link is contacts.aspx?area=north But my problem is ho do I get that area into my sql statement. I've tried creating a function in my code behind to return the area Function passCondition() Dim link As String link = Request.QueryString("area") Return link End Function An then pass that function into my sql command in the asp page SelectCommand="SELECT * FROM [range] Where Province=passCondition()"> But all to no avail, I've tried multiple variations of that and several alternatives but nothing. As you can prob tell I'm failry new to all this so really appreciate a point in the right direction. Many thanks gR
From: Paul Shapiro on 17 Mar 2010 07:36 "gerryR" <gerryr(a)SPMANOgerryr.com> wrote in message news:eHcp9wbxKHA.2436(a)TK2MSFTNGP04.phx.gbl... > i have a simple aspx page (vb) that pulls info out of an excel sheet. I'm > trying to pass a condition through a link to narrow down the results. > Basically we have 4 areas and rether than have 4 seperate pages I'd like > to have 4 links instead. > > At the min my link is > > contacts.aspx?area=north > > But my problem is ho do I get that area into my sql statement. > > I've tried creating a function in my code behind to return the area > > Function passCondition() > Dim link As String > link = Request.QueryString("area") > Return link > End Function > > And then pass that function into my sql command in the asp page > > SelectCommand="SELECT * FROM [range] Where Province=passCondition()"> > > But all to no avail, I've tried multiple variations of that and several > alternatives but nothing. If you look at your SelectCommand in the debugger you'll see that the text is exactly as you show it above, with passCondition() as literal text. You need to concatenate your condition, and include the text delimiters: SelectCommand="SELECT * FROM [range] Where Province='" + passCondition() + "'" You should also lookup command parameters, because concatenating free text into a sql statement opens your application to serious sql injection security vulnerabilities.
From: Mr. Arnold on 17 Mar 2010 09:36 gerryR wrote: > Hi All > > i have a simple aspx page (vb) that pulls info out of an excel sheet. I'm > trying to pass a condition through a link to narrow down the results. > Basically we have 4 areas and rether than have 4 seperate pages I'd like to > have 4 links instead. > > At the min my link is > > contacts.aspx?area=north > > But my problem is ho do I get that area into my sql statement. > > I've tried creating a function in my code behind to return the area > > Function passCondition() > Dim link As String > link = Request.QueryString("area") > Return link > End Function > > An then pass that function into my sql command in the asp page > > SelectCommand="SELECT * FROM [range] Where Province=passCondition()"> > > But all to no avail, I've tried multiple variations of that and several > alternatives but nothing. > > As you can prob tell I'm failry new to all this so really appreciate a point > in the right direction. > > Many thanks > gR > > Why don't you do this? private dim link as string at the top of the class. In the page_load method, you do the Querystring to set "link" to the queried value. Then just use the "link" variable which can be seen by all methods of the class.
From: gerryR on 17 Mar 2010 10:31 Thanks all, ended up adding a querystring to the sql command Thanks again for the help gR "gerryR" <gerryr(a)SPMANOgerryr.com> wrote in message news:eHcp9wbxKHA.2436(a)TK2MSFTNGP04.phx.gbl... > Hi All > > i have a simple aspx page (vb) that pulls info out of an excel sheet. I'm > trying to pass a condition through a link to narrow down the results. > Basically we have 4 areas and rether than have 4 seperate pages I'd like > to have 4 links instead. > > At the min my link is > > contacts.aspx?area=north > > But my problem is ho do I get that area into my sql statement. > > I've tried creating a function in my code behind to return the area > > Function passCondition() > Dim link As String > link = Request.QueryString("area") > Return link > End Function > > An then pass that function into my sql command in the asp page > > SelectCommand="SELECT * FROM [range] Where Province=passCondition()"> > > But all to no avail, I've tried multiple variations of that and several > alternatives but nothing. > > As you can prob tell I'm failry new to all this so really appreciate a > point in the right direction. > > Many thanks > gR >
From: gerryR on 18 Mar 2010 11:46
"Paul Shapiro" <paul(a)hideme.broadwayData.com> wrote in message news:OsJobYcxKHA.4240(a)TK2MSFTNGP06.phx.gbl... > "gerryR" <gerryr(a)SPMANOgerryr.com> wrote in message > news:eHcp9wbxKHA.2436(a)TK2MSFTNGP04.phx.gbl... >> i have a simple aspx page (vb) that pulls info out of an excel sheet. >> I'm trying to pass a condition through a link to narrow down the results. >> Basically we have 4 areas and rether than have 4 seperate pages I'd like >> to have 4 links instead. >> >> At the min my link is >> >> contacts.aspx?area=north >> >> But my problem is ho do I get that area into my sql statement. >> >> I've tried creating a function in my code behind to return the area >> >> Function passCondition() >> Dim link As String >> link = Request.QueryString("area") >> Return link >> End Function >> >> And then pass that function into my sql command in the asp page >> >> SelectCommand="SELECT * FROM [range] Where Province=passCondition()"> >> >> But all to no avail, I've tried multiple variations of that and several >> alternatives but nothing. > > If you look at your SelectCommand in the debugger you'll see that the text > is exactly as you show it above, with passCondition() as literal text. You > need to concatenate your condition, and include the text delimiters: > SelectCommand="SELECT * FROM [range] Where Province='" + passCondition() + > "'" > > You should also lookup command parameters, because concatenating free text > into a sql statement opens your application to serious sql injection > security vulnerabilities. Hi Paul just on your point about sql injection security issue, are the chances of this also increased when using text in your SQL statements or is this particular issue only related when concatenating? I ask as they are now looking for 4 seperate pages so if plain text isn't a problem I'll just use SELECT * FROM [range] Where Province="north" SELECT * FROM [range] Where Province="south" etc Or am I still better to use parameters SELECT * FROM [range] Where Province=(a)province Many thanks gR |