Wrox Programmer Forums

Need to download code?

View our list of code downloads.

| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
BOOK: Beginning ASP.NET 2.0 BOOK VB ISBN: 978-0-7645-8850-1; C# ISBN: 978-0-470-04258-8
This is the forum to discuss the Wrox book Beginning ASP.NET 2.0 by Chris Hart, John Kauffman, David Sussman, Chris Ullman; ISBN: 9780764588501
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Beginning ASP.NET 2.0 BOOK VB ISBN: 978-0-7645-8850-1; C# ISBN: 978-0-470-04258-8 section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
 
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old January 19th, 2006, 05:57 PM
Registered User
 
Join Date: Jun 2003
Location: , , .
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Multiple Selects in SQL QueryStrings

While I've been impressed with the ease of building SQL statements with parameters in ASP.NET 2.0, I haven't yet figured out how to take the parameters from a multiple-select listbox control where the number of parameters will vary.

In VBScript and ASP.NET 1.1 I did it by builing an SQL statement with a FOR/NEXT loop and concatenation.

Does ASP.NET have a formal, menu-based approach to handling a varying range of parameters?

Also, if I have to use a FOR/Next loop on the forms collection, could someone provide an example? I haven't yet figured out how to manipulate an actual SQL querystring directly in 2.0

Much appreciated.

Joe

Joe G
  #2 (permalink)  
Old January 20th, 2006, 07:50 AM
Authorized User
 
Join Date: Dec 2003
Location: , , United Kingdom.
Posts: 46
Thanks: 0
Thanked 1 Time in 1 Post
Default

If the number of parameters will vary, then building a SQL statement in code is still an acceptable solution, using techniques you've used previously. One thing you must make sure you do is use parameters though, as this protects against SQL Injection attacks, which can be a big security risk. Don't concatenate the values entered by users directly into the SQL - do a search for "SQL Injection" and you'll find lots of details on it.

ASP.NET doesn't have a formal way of handling multiple parameters if the number of parameters us unknown. How you implement this does depend on what exactly you are trying to do, and what controls you want to use. For example, do you want to have a SqlDataSource wth a variable number of parameters, depending upon what the user selects from listboxes? It sounds like you are letting users select a number of columns and you want a SqlDataSource and GridView. If this is the case, then you can do this in code - add parameter objects to the SelectParameters of the SqlDataSource.

Dave

  #3 (permalink)  
Old January 20th, 2006, 08:31 AM
Wrox Author
 
Join Date: Jun 2004
Location: Liskeard, Cornwall, United Kingdom.
Posts: 59
Thanks: 0
Thanked 0 Times in 0 Posts
Default

In addition the PAG group has an outline of best-practice on protection from SQL injects. I have worked a little with the PAG group and can testify to their excellent documentation. The article in question can be found here http://msdn.microsoft.com/library/de...aght000002.asp

Chris

Chris Ullman
Programmer/Technical Author
http://www.cuasp.co.uk
  #4 (permalink)  
Old January 20th, 2006, 09:14 AM
Registered User
 
Join Date: Jun 2003
Location: , , .
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks Dave and Chris. I'm on it.

The reason I buy the Wrox books is because of people like you.

Joe


Quote:
quote:Originally posted by Chrisull
 In addition the PAG group has an outline of best-practice on protection from SQL injects. I have worked a little with the PAG group and can testify to their excellent documentation. The article in question can be found here http://msdn.microsoft.com/library/de...aght000002.asp

Chris

Chris Ullman
Programmer/Technical Author
http://www.cuasp.co.uk
Joe G
  #5 (permalink)  
Old January 20th, 2006, 03:42 PM
Registered User
 
Join Date: Jun 2003
Location: , , .
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Well, guys, I've been researching the web and reviewing your examples for hours and I just can't make the final step to move the results of my For/Next concatenation on my .VB page into AccessDataSource2 on my .aspx page. I've tried all the parameter options -- querystring,control,session variable and just don't get it.

Here's what I have:

Button2 fires sub Button2_Click

Button2_Click receives all the selections and concatenates them into a portion of the SelectCommand property, e.g., "(dbo_NamesView.customer)='Air Canada ' OR (dbo_NamesView.customer)='Airlines ')"

The sub just ends with the variable being created. What do I have to do here to send it back to AccessDataSource2?


Then what do I do in the datasource? Here's one of my tries using queryString.

<asp:AccessDataSource ID="AccessDataSource2" runat="server" DataFile="~/App_Data/InfoTrack.mdb" SelectCommand="SELECT [name], [location], [site], [SA], [SDM], [customer] FROM [dbo_NamesView] WHERE ([customer] = ?)">
            <SelectParameters>
                <asp:QueryStringParameter DefaultValue="UHG" Name="customer" QueryStringField="f_customer"
                    Type="String" />
            </SelectParameters>

</asp:AccessDataSource>

Hoping your patience persists.

Joe




Quote:
quote:Originally posted by DaveSussman
 If the number of parameters will vary, then building a SQL statement in code is still an acceptable solution, using techniques you've used previously. One thing you must make sure you do is use parameters though, as this protects against SQL Injection attacks, which can be a big security risk. Don't concatenate the values entered by users directly into the SQL - do a search for "SQL Injection" and you'll find lots of details on it.

ASP.NET doesn't have a formal way of handling multiple parameters if the number of parameters us unknown. How you implement this does depend on what exactly you are trying to do, and what controls you want to use. For example, do you want to have a SqlDataSource wth a variable number of parameters, depending upon what the user selects from listboxes? It sounds like you are letting users select a number of columns and you want a SqlDataSource and GridView. If this is the case, then you can do this in code - add parameter objects to the SelectParameters of the SqlDataSource.

Dave

Joe G
  #6 (permalink)  
Old January 30th, 2006, 06:16 AM
Wrox Author
 
Join Date: Jun 2004
Location: Liskeard, Cornwall, United Kingdom.
Posts: 59
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi Joe,
             We haven't forgotten you or lost patience. It's a bit trickier when the error's in your own code, rather than the book. I was hoping Dave would jump in on this one (it's more his area). I'm wondering if it's databinding, and you just need to call the DataBind() method of the DataSource (this would be my 1.1 centric suggestion). Have you had any luck solving it yourself?

Chris

Chris Ullman
Programmer/Technical Author
http://www.cuasp.co.uk
  #7 (permalink)  
Old January 30th, 2006, 07:01 AM
Authorized User
 
Join Date: Dec 2003
Location: , , United Kingdom.
Posts: 46
Thanks: 0
Thanked 1 Time in 1 Post
Default

I'm on the case on this one Chris; I should have posted something. Joe & I have taken it out of the forums, as it's technically not directly related to the book. We'll post more details once we have a solution, then everyone can benefit.

Dave

 


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
trying to get data from multiple selects ceevk1 VB Databases Basics 1 April 3rd, 2007 12:05 PM
multiple selects -single where clause collie SQL Server 2000 3 January 21st, 2005 01:27 AM
querystrings in chapter 8 LL BOOK: Beginning PHP4/PHP 5 ISBN: 978-0-7645-4364-7; v5 ISBN: 978-0-7645-5783-5 2 November 19th, 2003 10:36 AM
Querystrings and Redirects hcweb Classic ASP Basics 3 July 30th, 2003 08:50 AM
Querystrings to Variables hcweb Classic ASP Basics 1 June 14th, 2003 06:54 PM



All times are GMT -4. The time now is 04:40 PM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.