Hi,

I have searched for ages trying to find a solution for this but I cannot.

I'm still learning asp.net so apologies if this is a noobish question, but could somebody please look at my code and tell me what's wrong? I have a small cms that uses fckeditor to change the content but now I need the content to render on the websites using Article.aspx?PageID=value and when I display the page then none of the data is showing. In this case when the user clicks on the link "Villa Cleaning" it goes to the url "/Article.aspx?PageID=2" and then no data is displayed. On Article.aspx page I have the following code. I guess I am doing something wrong since the data won't show from the ID being typed in the url. This was made from a tutorial so if anyone has another way that works better to achive the data from the url querystring I am open to suggestions! I am using C# and SQLServer2005 DB. Thanks!

<h1><asp:Label ID="TitleLabel" runat="server" Text='<%# Bind("Title") %>' /></h1>
            <p>
            PageBody:
            <asp:Label ID="PageBodyLabel" runat="server" Text='<%# Bind("PageBody") %>' />
            </p>
            <asp:SqlDataSource ID="SqlDataSource1" runat="server" 
            ConnectionString="<%$ ConnectionStrings:jkDBConnectionString %>"
            
                SelectCommand="SELECT [PageID], [Title], [PageBody] FROM [Pages] WHERE ([PageID] = @PageID)">
                <SelectParameters>
                    <asp:QueryStringParameter Name="PageID" QueryStringField="PageID" />
                </SelectParameters>
            </asp:SqlDataSource>

Recommended Answers

You should never allow user input to be used inside of the command text of an SQL Statement. Always use parameterized SQL. See 'Using parameters with an SqlDataSource'

Jump to Post

All 2 Replies

I think you should check the PageID in code behind so you can debug it and see what happens. Like:

int pid = Request.QueryString["PageID"];
SQLDataSource1.SelectCommand = "SELECT PageID, Title, PageBody FROM Pages WHERE PageID ="+pid;
SQLDataSource1.Select(DataSourceSelectArguments.Empty);

and then just databind() whatever needs the selected data..

You should never allow user input to be used inside of the command text of an SQL Statement. Always use parameterized SQL. See 'Using parameters with an SqlDataSource'

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.