Hi guys i am passing a aspx page with teamno value( teamsandmatchs.aspx?team=2 ) I do not know how i can grap that passed value and place it inside my select where clasue statement. Right now my where clause has default value 2
strSQL = "SELECT * From matches Where teamno=2"
but i want change this part so it grabs any passed value for example
teamsandmatchs.aspx?team=4. i be happy if some one show me how i can grap that value and place in my select where clause.Thanks.
Here is my onload code
Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
If Session("login") = "ok" Then
MyConnection = New SqlConnection("server=localhost;database=teniss2;uid=web;pwd=web;")
If Not Page.IsPostBack Then
BindDataGridTeams()
End If
Else
Server.Transfer("promptloging.aspx")
End If
End Sub
Sub BindDataGridTeams()
Dim ds As New DataSet
Dim sda As SqlDataAdapter
Dim strSQL As String
'Here we are reciving the teamno value
strSQL = "SELECT * From matches Where teamno=2"
sda = New SqlDataAdapter(strSQL, MyConnection)
sda.Fill(ds, "teams")
DataGridTeams.DataSource = ds.Tables("teams")
Try
DataGridTeams.DataBind()
Catch ObjError As Exception
DataGridTeams.CurrentPageIndex = 0
DataGridTeams.DataBind()
Exit Try
End Try
End SubDim strID as string = Request.QueryString("team").ToString()
strSQL = "SELECT * From matches Where teamno= " & strID
You should put a check to make sure that strID actually contains a value..
EricHi method,
Eric has answered your direct question accurately and succinctly. However, from a bigger perspective, that technique will leave you wide open to "SQL Injection Attacks (see <!-- m --><a class="postlink" href="http://www.nextgenss.com/papers/advanced_sql_injection.pdf">http://www.nextgenss.com/papers/advance ... ection.pdf</a><!-- m -->)
With .NET (unlike classic ASP where that technique was kind of your only choice), you should look into using the SqlCommand object specifically with SqlCommand "parameter" objects. Too much for me to cover here, but you should be able to find plenty of reference on them. By using the SqlCommand specifically with its parameter objects, you get some built in defense against SQL injection attacks as it prevents you from passing incorrect data types, handles proper escaping of single quotes in your data, etc.
strSQL = "SELECT * From matches Where teamno=2"
but i want change this part so it grabs any passed value for example
teamsandmatchs.aspx?team=4. i be happy if some one show me how i can grap that value and place in my select where clause.Thanks.
Here is my onload code
Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
If Session("login") = "ok" Then
MyConnection = New SqlConnection("server=localhost;database=teniss2;uid=web;pwd=web;")
If Not Page.IsPostBack Then
BindDataGridTeams()
End If
Else
Server.Transfer("promptloging.aspx")
End If
End Sub
Sub BindDataGridTeams()
Dim ds As New DataSet
Dim sda As SqlDataAdapter
Dim strSQL As String
'Here we are reciving the teamno value
strSQL = "SELECT * From matches Where teamno=2"
sda = New SqlDataAdapter(strSQL, MyConnection)
sda.Fill(ds, "teams")
DataGridTeams.DataSource = ds.Tables("teams")
Try
DataGridTeams.DataBind()
Catch ObjError As Exception
DataGridTeams.CurrentPageIndex = 0
DataGridTeams.DataBind()
Exit Try
End Try
End SubDim strID as string = Request.QueryString("team").ToString()
strSQL = "SELECT * From matches Where teamno= " & strID
You should put a check to make sure that strID actually contains a value..
EricHi method,
Eric has answered your direct question accurately and succinctly. However, from a bigger perspective, that technique will leave you wide open to "SQL Injection Attacks (see <!-- m --><a class="postlink" href="http://www.nextgenss.com/papers/advanced_sql_injection.pdf">http://www.nextgenss.com/papers/advance ... ection.pdf</a><!-- m -->)
With .NET (unlike classic ASP where that technique was kind of your only choice), you should look into using the SqlCommand object specifically with SqlCommand "parameter" objects. Too much for me to cover here, but you should be able to find plenty of reference on them. By using the SqlCommand specifically with its parameter objects, you get some built in defense against SQL injection attacks as it prevents you from passing incorrect data types, handles proper escaping of single quotes in your data, etc.