0

okay so i am pretty new to coding and i got a school project which one of the requirements was to be able to search a database and show the results in a table so this is the code i wrote for this:

aspx page:

<form id="userSearchForm" method="post" action="#">
    <input type="text" id="userName" value="" />
    <input class="button" id="submit" name="submit" type="submit" value="Submit" />
</form>
<%=st %>

aspx.cs page:

public partial class Default2 : System.Web.UI.Page
{
    public string st=null;
    protected void Page_Load(object sender, EventArgs e)
    {
        if (Request.Form["submit"] != null)
        {
            string user = Request.Form["userName"];
            st = MyAdoHelper.printDataTable("Database.mdf", "select * from members where   name = '" +    user + "'");
        }
    }
}

and a code i use in a different c# page that i call in the aspx.cs page above:

public static DataTable ExecuteDataTable(string fileName, string sql)
{
    SqlConnection conn = ConnectToDb(fileName);
    conn.Open();
    SqlDataAdapter tableAdapter = new SqlDataAdapter(sql,conn);
    DataTable dt = new DataTable();
    tableAdapter.Fill(dt);
    return dt;
}

public static string printDataTable(string fileName, string sql)
{
    DataTable dt = ExecuteDataTable(fileName, sql);

    string printStr = "<table border='1'>";

    foreach (DataRow row in dt.Rows)
    {
        printStr += "<tr>";
        foreach (object myItemArray in row.ItemArray)
        {
            printStr += "<td>" + myItemArray.ToString() +"</td>";
        }
        printStr += "</tr>";
    }
    printStr += "</table>";

    return printStr;
}

basically after i press submit what seems to be a blank table appears - a big black line across the screen as if it is the border of a table with out information. any help?

Iddo Sadeh
  • 133
  • 6
  • 1
    Please go google about SQL Injection right now, and do not put this code into production! this is wide open to sql injection: `"select * from members where name = '" + user + "'"` – arserbin3 Jun 10 '14 at 21:41
  • 1
    Never forget [Bobby](http://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work). It is sitting right there. Between userName and your db. – Steve Jun 10 '14 at 21:41
  • yes i have heard of this problem before, but i dont think its the reason for my problem. it is not as important to me now as it is not my goal. – Iddo Sadeh Jun 10 '14 at 21:47

1 Answers1

0

Ok, because you are in the process of learning I should tell you this before I want to fix the issue for you.

whenever you want to work on the server side like your code, it's easier to use server controls rather than html controls, however html controls are lighter but sometimes they are tricky to use them on the server side coding. so alternatives are using <asp:Button instead of <input type="submit" and <asp:TextBox instead of <input type="text".

anyway lets back to your problem with that code, as I said it's a bit tricky working with HTML elements in code behind and you must be very careful on HTML element's attributes.

so the issue on your code is a missing name attribute, so it should be like this;

 <input type="text" id="userName" name="userName" value="" />

then you could get the value like this on the code behind:

 string user = Request.Form["userName"].ToString();

and now your query will get the proper result from your database. let me know if you have any further issue with that.

Ali
  • 2,574
  • 1
  • 17
  • 24