Last post Jan 07, 2008 07:11 AM by prince_prince_23
Jun 16, 2006 05:41 PM|nbgd_28|LINK
I have a problem with the
The thing that I try to do is to create a SQL statement.
I am not sure if this can be done or not ( just started asp.net).
Something like this:
Dim Test1 As String
Dim Test2 As String
Dim Test3 As String
Dim Test4 As String
Test1 = Request("xmbr")
Test2 = Request("xSEL")
Test3 = Request("xpro")
Test4 = "SELECT [jedan], [dva], [tri], [cetiri], [pet] FROM [pet1] where " & (Test1) & " " & (Test2) & "'" & (Test3) & "'"
<asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:FinGateConnectionString
%>" SelectCommand="<%= Test4%>">
The problem is that is giving me an error that I can’t figure out.
An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Line 1: Incorrect syntax near '<'.
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Jun 16, 2006 06:36 PM|augustwind|LINK
First off - you're trying to use inline codeblocks, it seems, like in the old Classic ASP days. It's no longer done this way in ASP.Net. Since ASP.Net is event-driven, all code code is in event handlers (subs/functions). In this case, what you'd probably
need to do is to create/Dim some global variables in your page (outside any events), and inside the Page_Load event, assign the variable names, just like you did
Therefore, you would not use a code block segment, either, in the SelectCommand property of a SQLDataSource control. That is for the SQL statement or Stored Procedure name only.
Also - if you haven't heard about SQL Injection attacks, you need to learn now....instead of using concatenated SQL statements, the answer to SQL Injection attacks, in this case, is parameterized queries. Check out this 2 part tutorial on Parameterized Queries
That being said, you can use a SQL statement (Select [Field list] from [Table name] where
Then, inside your SQLDataSource, use the parameters section to assign where the data for each parameter is coming from.
Jan 07, 2008 07:11 AM|prince_prince_23|LINK
I'm trying to use inline code inside my sqldatasource..
<asp:Parameter Name="CREATION_DATE" Type="DateTime" DefaultValue= '<%System.DateTime.Now.ToString()%>' />
This gives me an error saying input string was not in correct format..
Could someone help me in this?