Well, guys, I've been researching the web and reviewing your examples for hours and I just can't make the final step to move the results of my For/Next concatenation on my .VB
page into AccessDataSource2 on my .aspx page. I've tried all the parameter options -- querystring,control,session variable and just don't get it.
Here's what I have:
Button2 fires sub Button2_Click
Button2_Click receives all the selections and concatenates them into a portion of the SelectCommand property, e.g., "(dbo_NamesView.customer)='Air Canada ' OR (dbo_NamesView.customer)='Airlines ')"
The sub just ends with the variable being created. What do I have to do here to send it back to AccessDataSource2?
Then what do I do in the datasource? Here's one of my tries using queryString.
<asp:AccessDataSource ID="AccessDataSource2" runat="server" DataFile="~/App_Data/InfoTrack.mdb" SelectCommand="SELECT [name], [location], [site], [SA], [SDM], [customer] FROM [dbo_NamesView] WHERE ([customer] = ?)">
<asp:QueryStringParameter DefaultValue="UHG" Name="customer" QueryStringField="f_customer"
Hoping your patience persists.
quote:Originally posted by DaveSussman
If the number of parameters will vary, then building a SQL statement in code is still an acceptable solution, using techniques you've used previously. One thing you must make sure you do is use parameters though, as this protects against SQL Injection attacks, which can be a big security risk. Don't concatenate the values entered by users directly into the SQL - do a search for "SQL Injection" and you'll find lots of details on it.
ASP.NET doesn't have a formal way of handling multiple parameters if the number of parameters us unknown. How you implement this does depend on what exactly you are trying to do, and what controls you want to use. For example, do you want to have a SqlDataSource wth a variable number of parameters, depending upon what the user selects from listboxes? It sounds like you are letting users select a number of columns and you want a SqlDataSource and GridView. If this is the case, then you can do this in code - add parameter objects to the SelectParameters of the SqlDataSource.