0

I am working on an online project ......
i have two links on one of the page..... say home page.... having two links One Say Shirts and Other Say Casual Shirts....
So when user click on Shirts he will be shown all Shirts from Shirts Table for men and when he select Casual Shirts he will be shownall Casual Shirts from Shirts table for men.....
I am using following code...

<a href="Shirts.aspx?For=Men">Shirts</a>
<a href="Shirts.aspx?For=Men&Type=CasualShirts">Casual Shirts</a>

So when Shirts.aspx is loded i have written following code in page_Load event....

          string Type= Request.QueryString["Type"];
        string For = Request.QueryString["For"];
        SqlConnection con = new SqlConnection();
        con.ConnectionString = "Data Source=HP-HP\\SQLEXPRESS;Initial Catalog=OnlineShop;User ID=sa;password=rane@1234";
        con.Open();
        SqlCommand cmd = new SqlCommand("Select * from Shirts where ForMW='"+For+"' and Type='"+Type+"'", con);
        SqlDataReader dr = cmd.ExecuteReader();
        dt = new DataTable();
        dt.Load(dr);
        DataList1.DataSourceID = null;
        DataList1.DataSource = dt;
        DataList1.DataBind();

Now the problem is that i cannot give Both query ie...
ForMW and Type take from QueryString

  string Type= Request.QueryString["Type"];
  string For = Request.QueryString["For"];

1.Select * from Shirts where ForMW='"+For+"' becomes
1.Select * from Shirts where ForMW='Men'
2.Select * from Shirts where ForMW='"+For+"' and Type='"+Type+"'" becomes
2.Select * from Shirts where ForMW='Men' and Type='CasualShirts'

3
Contributors
2
Replies
3
Views
4 Years
Discussion Span
Last Post by nakor77
0

So, what is the issue you are having? I am not clear on what you mean by..

Now the problem is that i cannot give Both query ie.

Also, by the way, based on the way you are writing this SQL query, you are very vulnerable to SQL injection.

Edited by JorgeM

0

First, as @JorgM said, you really need to look into parameterized queries because right now your site would be extremely vulnerable to hackers.

Second, you should avoid using variable names that are C# keywords or resemble them. "for" is a keyword and "Type" is, well, a type. You could use something a little more descriptive such as "gender" and "shirtStyle" or just "style".

Third, string Type= Request.QueryString["Type"]; may give you an error on a request where you are not passing the type because that querystring will not exist. I would probably do something like the following:

Edit: As a word of caution, the following code is from memory, it may not compile without a little tweaking, but it should be close enough to get you going in the right direction with a little research on your part.

string gender = Request.QueryString["For"];
string style = Request.QueryString["Type"] ?? string.Empty; // sets it to an empty string if null

SqlConnection con = new SqlConnection();
con.ConnectionString = "Data Source=HP-HP\\SQLEXPRESS;Initial Catalog=OnlineShop;User ID=sa;password=rane@1234";

string query = "Select * from Shirts where ForMW=@gender and (Type=@style OR @style='')";
SqlCommand cmd = new SqlCommand(query, con);
cmd.Parameters.AddWithValue("@gender", gender);
cmd.Parameters.AddWithValue("@style", style);

con.Open();
SqlDataReader dr = cmd.ExecuteReader();
dt = new DataTable();

Edited by nakor77

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.