In my Project I need that user will see the garages that in the same city of user .
I created users table that include - Id,UserName,Password,Email,CarModel,Year,City,
and another Table is GarageUsers that include -Id,UserName,Password,Email,Address,City,GarageName.
In Configure Data Source I insertes this code :
SELECT GargeUsers.GarageName, GargeUsers.Address,GargeUsers.City,GargeUsers.Email
FROM GargeUsers
INNER JOIN GarageuserCategory ON GargeUsers.Id = GarageuserCategory.UserId
I
WHERE (GarageuserCategory.CategoryId = 1) AND (GargeUsers.City LIKE Users.City)
(The GarageUserCategory is to show the data in the current category- its Ok ignore it).
In this code I see the all garages.
I add Session that save the user city when the user login.
But I cant see what I want in gridview. I need to know how to equal the session (USerCity) to garage city.
protected void LogIn_Click(object sender, EventArgs e)
{
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["RegistrationConnectionString"].ConnectionString);
conn.Open();
string checkuser = "select count(*) from Users where UserName= '" + UserName.Text + "'";
SqlCommand com = new SqlCommand(checkuser, conn);
int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
conn.Close();
if (temp == 1)
{
conn.Open();
string checkPasswordQuery = "select Password from Users where UserName= '" + UserName.Text + "'";
SqlCommand passComm = new SqlCommand(checkPasswordQuery, conn);
string password = passComm.ExecuteScalar().ToString().Replace(" ", "");
string UserCityQuery = "select City from Users where UserName= '" + UserName.Text + "'";
SqlCommand cityComm = new SqlCommand(UserCityQuery, conn);
string UserCity = cityComm.ExecuteScalar().ToString().Replace(" ", "");
if (password == Password.Text)
{
Session["UserCity"] = UserCity;
Session["New"] = UserName.Text;
Response.Write("Password is correct");
Response.Redirect("HomePage.aspx");
}
else
{
Response.Write("Password is not correct");
}
}
else
{
Response.Write("User Name is not correct");
}
}
}
}
You say
I need that user will see the garages that in the same city of user.
That seem like you need a filter to select USER
Also you say
(The GarageUserCategory is to show the data in the current category- its Ok ignore it).
So i remove it. Next time try make the query simple with only the problem you have
SELECT
GargeUsers.GarageName,
GargeUsers.Address,
GargeUsers.City,
GargeUsers.Email
FROM
GargeUsers INNER JOIN
Users ON GargeUsers.City = Users.City
WHERE
Users.UserID = #userID <-- ADD THIS ONE
To handle variable in SQL check SELECT #local_variable (Transact-SQL)
To select the cities garage after user Select a city in the page
SELECT
GargeUsers.GarageName,
GargeUsers.Address,
GargeUsers.City,
GargeUsers.Email
FROM
GargeUsers
WHERE
GargeUsers.City = #cityID
Related
I am using sap.net web form. In this web form i have a text and a button. user enter name or id and hit search button. Searching with id is working fine but with name it is not working.
What i am missing here help me out please.
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
try
{
String query = "SELECT * from Driver where(Name LIKE '%' + #search + '%' OR DriverID = #search) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.AddWithValue("#search", SearchTextBox.Text);
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
catch (SqlException exe)
{
throw exe;
}
}
}
The code is generating an exception. The fact that you're unaware of this indicates that you have "error handling" somewhere in your system that is, in fact "error hiding". Remove empty catch blocks, or pointless catch blocks such as the one in your question that just destroys some information in the exception and re-throws it. Those aren't helping you.
The actual problem is that the DriverID column is int and your parameter is varchar. So long as the varchar contains a string that can be converted to a number (which is the direction that the conversion happens in due to precedence), the query is well-formed.
As soon as the parameter contains a string that cannot be implicitly converted to a number, SQL Server generates an error that .NET turns into an exception.
For your LIKE variant, you're forcing a conversion in the opposite direction (numeric -> varchar) since LIKE only operates on strings. That conversion will always succeed, but it means that you're performing textual comparisons rather than numeric, and also means there's no possible index usage here.
I'd suggest that you change your C# code to attempt a int.TryParse on the input text and then uses two separate parameters to pass strings and (optionally) their numeric equivalent to SQL Server. Then use the appropriate parameters in your query for each comparison.
Something like:
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
String query = "SELECT * from Driver where(Name LIKE '%' + #search + '%' OR " +
"DriverID = #driverId) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.Add("#search", SqlDbType.VarChar,50).Value = SearchTextBox.Text;
cmd.Parameters.Add("#driverId", SqlDbType.Int);
int driverId;
if(int.TryParse(SearchTextBox.Text, out driverId))
{
cmd.Parameters["#driverId"].Value = driverId;
}
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
"SELECT * from Driver where (Name LIKE '%" + #search + "%'
OR DriverID = '" + #search + "' ) AND Status = 'Active'";
how about this?
I have a database table were a column holds multiple strings. They are holding License Plate numbers. If I search for 1 il get the first registration it finds with a one. I want to set it so that I must enter the full string and if I don't it should say not found. Here is my code. I'm sure its just the SQL command that needs altering for this.
public Car getCar(String searchLicense) {
Car foundCar = new Car();
try {
Class.forName("com.mysql.jdbc.Driver");
Connection conn = DriverManager.getConnection(url + dbName, userName, password);
statement = conn.createStatement();
resultSet = statement
.executeQuery("select * from eflow.registration where cLicense like '%" + searchLicense + "%'");
while (resultSet.next()) {
foundCar = new Car(resultSet.getInt("cID"), resultSet.getString("cLicense"),
resultSet.getInt("cJourneys"), resultSet.getString("cUsername"),
resultSet.getString("cPassword").toString());
}
conn.close();
} catch (Exception e) {
e.printStackTrace();
}
return foundCar;
}
If you need the exact string, you will need to remove the '%' in the LIKE filter.
Your code should be:
cLicense like '" + searchLicense + "'
The '%' wildcard put before and after the parameter you have, enables you to search for any string containing the searchLicense value in the middle, without checks of what is before or after that string.
You should be using parameterized queries. Bobby Tables: A guide to preventing SQL injection
Then use = instead of like.
select * from eflow.registration where cLicense = #searchLicense
I'm trying to use an SQL select statement to read from a database to validate a login form. The problem I'm having is its telling me its an invalid column name.
SELECT * FROM users
WHERE [username] = #theusername
AND [password] = #thepassword
where #theusername is a parameratized value of "Rymo_18", and the password is, for the sake of argument, "password".
The errors I get are:
Invalid column name 'Rymo_18'.
Invalid column name 'password'
Don't know why I'm getting those errors. I've tried swapping the values around the = sign, tried using values directly (username = "Rymo_18") and all other matters of fiddling to fix it, and I've had no luck. There are no other tables called 'user' within my Database.
EDIT: Here's the code as it appears in the C# I'm using:
string user = unametext.Text;
string pword = pwordtext.Text;
string connectionstring = WebConfigurationManager.ConnectionStrings["elmtreeconnect"].ConnectionString;
SqlConnection myconnection = new SqlConnection(connectionstring);
myconnection.Open();
string query = "SELECT * FROM users WHERE (username= #theusername OR email = #theusername) AND password = #thepassword";
SqlCommand attemptLogin = new SqlCommand(query, myconnection);
attemptLogin.Parameters.AddWithValue("#theusername", user);
attemptLogin.Parameters.AddWithValue("#thepassword", pword);
SqlDataReader rdr = attemptLogin.ExecuteReader();
if (rdr.HasRows)
{
Session["user"] = rdr["username"].ToString();
Session["id"] = rdr["id"].ToString();
Session["type"] = rdr["accountType"].ToString();
Response.Redirect("loginsuccess.aspx");
}
else
{
unametext.Text = "";
pwordtext.Text = "";
statusLabel.Text = "Login failed. Please try again, or contact info#elmtree.co.uk for assistance";
}
Thanks for the help!
string query = "select 1 from users where username=#theusername and password=#password";
...
if(rdr.Read()){
...
}
exists should be used in if exists(select...)
I am searching for (PostId,UserId) into PostLikes table using SqlDataAdapter, if the row is found , I am using SqlCommandBuilder.GetDeleteCommand() to generate the delete instruction and deleting the underlying row, if the row is not found, then I use SqlCommandBuilder.GetInsertCommand() to generate the insert command and inserting the row to the table using SqlDataAdapter.Update(). But the row is not getting inserted to the table in database. Here is what I have done so far
SqlConnection con = new SqlConnection(connectionStrings);
SqlDataAdapter sqlDataAdapter=new SqlDataAdapter("select * from PostLikes where PostId like "
+postlike.PostId+" and UserId like "
+postlike.UserId,con);
DataSet ds = new DataSet();
sqlDataAdapter.Fill(ds, "Result");
con.Open();
SqlCommandBuilder sqlCommandBuilder = new SqlCommandBuilder(sqlDataAdapter);
if(ds.Tables["Result"].Rows.Count==1)
{
sqlDataAdapter.DeleteCommand = sqlCommandBuilder.GetDeleteCommand(true);
msg = "Data is deleted";
}
else
{
sqlDataAdapter.InsertCommand = sqlCommandBuilder.GetInsertCommand(true);
msg = "Data is inserted";
}
sqlDataAdapter.Update(ds, "Result");
and the tablePostLikes(LikeId,PostId,UserId)
There are a couple of issues:
You are looking to reuse the same command to both detect whether the row exists, and to supply to the SqlAdapter for the SqlCommandBuilder.
You should parameterise the initial select query to protect against SqlInjection attacks (and there is a minor performance benefit). The CommandBuilder will automatically parameterize the Insert / Delete commands
After creating the Insert / Delete commands with the SqlCommandBuilder, you then need to change the underlying dataset in order for any changes to be made to the table during the Update.
Note that many of the Sql objects are IDisposable and should be disposed ASAP - using scopes help here.
.
var postId = 1;
var userId = 1;
string msg;
using (var con = new SqlConnection(#"data source=..."))
using (var selectCommand = new SqlCommand(
"select LikeId, PostId, UserId from PostLikes WHERE PostId=#PostId AND UserId=#UserId", con))
using (var sqlDataAdapter = new SqlDataAdapter(selectCommand))
using (var ds = new DataSet())
{
con.Open();
selectCommand.Parameters.AddWithValue("#PostId", postId);
selectCommand.Parameters.AddWithValue("#UserId", userId);
sqlDataAdapter.Fill(ds, "Result");
using (var sqlCommandBuilder = new SqlCommandBuilder(sqlDataAdapter))
{
if (ds.Tables["Result"].Rows.Count == 1)
{
sqlDataAdapter.DeleteCommand = sqlCommandBuilder.GetDeleteCommand(true);
ds.Tables["Result"].Rows[0].Delete();
msg = "Data will be deleted";
}
else
{
sqlDataAdapter.InsertCommand = sqlCommandBuilder.GetInsertCommand(true);
// Null because LikeId is Identity and will be auto inserted
ds.Tables["Result"].Rows.Add(null, postId, userId);
msg = "Data will be inserted";
}
sqlDataAdapter.Update(ds, "Result");
}
}
I've assumed the following Schema:
CREATE TABLE PostLikes
(
LikeId INT IDENTITY(1,1) PRIMARY KEY,
PostId INT,
UserId INT
)
And I've assumed you want to 'toggle' the insertion or deletion of a row with the postId, userid combination.
I am pretty sure this code is fine. I wanted to know what you guys think about the insertMediaTags function (2nd func). The things i am worried about is the below concurrent safe? and if insertMediaTags is optimize enough? note it is in a transaction due to first func but it is also in a loop which could mean its bad?
I am open to any coding practice, style or suggestions you guys may have.
(I know someone will ask, i am using sqlite ATM but its prototype code to use with mysql or a version of ms sql or another)
{
long mediaId;
//all the credentials should be verified by this point.
command.CommandText = "SELECT mediaId FROM media " +
"WHERE userId=#userId AND title=#title;";
command.Parameters.Add("#userId", DbType.Int64).Value = m.userid;
command.Parameters.Add("#title", DbType.String).Value = m.title;
if (command.ExecuteScalar() != null)
throw new System.InvalidOperationException("Title already exisit");
using (var dbTrans = connection.BeginTransaction())
{
command.CommandText =
"INSERT INTO " +
"media ( userid, catagory, creation_date, current_media_date, current_desc_date, licence, title, desc, ext) " +
"VALUES(#userid, #catagory, #creation_date, #current_media_date, #current_desc_date, #licence, #title, #desc, #ext); " +
"SELECT last_insert_rowid() AS RecordID;";
DateTime currentDate = m.creation_date;
command.Parameters.Add("#userid", DbType.Int64).Value = m.userid;
command.Parameters.Add("#catagory", DbType.Int64).Value = m.catagory;
command.Parameters.Add("#creation_date", DbType.DateTime).Value = m.creation_date;
command.Parameters.Add("#current_media_date", DbType.DateTime).Value = currentDate;
command.Parameters.Add("#current_desc_date", DbType.DateTime).Value = currentDate;
command.Parameters.Add("#licence", DbType.Int64).Value = m.license;
command.Parameters.Add("#title", DbType.String).Value = m.title;
command.Parameters.Add("#desc", DbType.String).Value = m.desc;
command.Parameters.Add("#ext", DbType.Int64).Value = m.ext;
mediaId = (long)command.ExecuteScalar();
//m.collaborateWith
insertInspired(inspireLinks.external, inspireLinks.internalPair, mediaId);
insertDerived(deriveLinks.external, deriveLinks.internalPair, mediaId);
insertMediaTags(m.listTagString, mediaId);
//command.CommandText = "END TRANSACTION;"; command.ExecuteNonQuery();
updateMediaForWatchers(m.userid, mediaId, m.catagory, currentDate);
dbTrans.Commit();
}
return mediaId;
}
void insertMediaTags(List<string> tags, long mediaId)
{
foreach(string tag in tags)
{
//assure tag exist
long tagId;
command.CommandText = "SELECT tagid FROM tag_name WHERE title=#title;";
command.Parameters.Add("#title", DbType.String).Value = tag;
object o = command.ExecuteScalar();
if (o == null)
{
command.CommandText =
"INSERT INTO tag_name(title) VALUES(#title); " +
"SELECT last_insert_rowid() AS RecordID;";
command.Parameters.Add("#title", DbType.String).Value = tag;
tagId = (long)command.ExecuteScalar();
}
else
tagId = (long)o;
command.CommandText =
"INSERT INTO media_tags(mediaId, tagid) " +
"VALUES(#mediaId, #tagid);";
command.Parameters.Add("#mediaId", DbType.Int64).Value = mediaId;
command.Parameters.Add("#tagid", DbType.Int64).Value = tagId;
command.ExecuteNonQuery();
command.CommandText =
"UPDATE tag_name SET count = count+1 "+
"WHERE tagid=#tagid";
command.Parameters.Add("#tagid", DbType.Int64).Value = tagId;
command.ExecuteNonQuery();
}
}
No it's not concurrent safe. You have a potential race condition between the SELECT to determine whether the tag exists, and the INSERT to create the tag if it does not. Imagine thread A does a SELECT and finds it does not exist, and then thread B does the same before thread A does the INSERT. Thread B will attempt the insert as well and fail.
In SQL Server, it's better to use the SCOPE_IDENTITY() function. Other than that I don't see a problem.