Last post Aug 15, 2008 08:19 PM by Motley
Oct 29, 2007 12:50 AM|cjgates|LINK
I am trying to change the select statement of an sqldatasource if a check box is checked.
I am using the SqlDataSourceSelectingEventArgs but i can't get it to work, anyone got any pointers?
Thanks in advance
Oct 29, 2007 01:17 AM|gww|LINK
I have always just used a string for my SQL statement assigned to a variable and just changed what the variable is assigned to, such as:
If checkbox.checked = true
SQLstr = "Select *..."
SQLstr = "Select Column1..."
Oct 29, 2007 03:37 PM|cjgates|LINK
Thanks for the reply,
How then do i pass the string to my sqldatasource as the select command?
Oct 29, 2007 05:17 PM|cjgates|LINK
Thanks again for the reply. I have made the change you suggested and moved the sub to the page load event handler which made it work. Problem is i get SQL errors.. Can anyone see where my select might be wrong?
LocManSearch.SelectCommand = SQLstr
Oct 29, 2007 06:29 PM|Motley|LINK
Besides the fact that you suffer from possibly getting SQL Injection attacks because you are using sql string concatenation instead of either parameterized queries or encoded strings, here is your problem:
Aug 15, 2008 05:33 PM|radfo|LINK
I'm new to the ASP.net scene so if possible I would like know more about the injection statement you made. I think I'm using the parameterized queries as you said, but I would like to make sure. When building my query I use @variable in my query as opposed
to putting the variable directly in my query as shown in the previous post. Is that what I'm supposed to do or is there something different?
Any help would be greatly appreciated.
Aug 15, 2008 08:19 PM|Motley|LINK
Yes, that is exactly what you should do.