1

I am currently creating a voting system whereby existing users can vote on whether other entries are valid or not (upvote/Downvote) thru a sql dataset table.

Each user who is registered gets a customer number and the user needs a customer number to cast a vote. When the user casts a vote their customer number is recorded in the entry and the sql query updates the score to either add 1 to upvote or 1 to downvote. A unique constraint is applied to the voters ID on each entry voted to prevent a double vote and a user must have a customer number to vote.

My Code below attempts to do this however it always seems to end up with the message box saying "error, you cannot vote until you provide a valid customer number in the Textbox". All help is appreciated, thanks a lot!

protected void searchTheDB()
{
    string s = "SELECT compName As 'Company/Organization Name', btcAddr As 'Bitcoin Address', Premium_User as 'Premium User'," + 
    "upvote as 'Upvotes',downvote As 'Downvotes' FROM clientDataTable WHERE compName LIKE '%" + searchBox.Text + "%'";

    try
    {
        SqlConnection forSearch = new SqlConnection(connectionString);
        SqlDataAdapter search = new SqlDataAdapter(s, forSearch);
        DataSet dB = new DataSet();
        search.Fill(dB);
        searchGridView.DataSource = dB;
        searchGridView.DataBind();
        searchBox.Text = String.Empty;
    }
    catch (SqlException exp)
    {
        throw new InvalidOperationException("Sorry, the website is experiencing difficulties, please try again, error: ", exp);
    }
}

protected void searchButton_Click(object sender, EventArgs e)
{
    custVoteTextBox.Text = String.Empty;
    searchTheDB();
    generalLabel.Text = "results displayed below, if nothing is displayed your search returned no results";
}

protected void canUserVote()
{
    submitCustNumButton_Click(new object(), new EventArgs());

    string query = "INSERT INTO dbo.ClientDataTable (custNum) Values (@custNum)";

    try
    {
        SqlConnection checkCustNum = new SqlConnection(connectionString);

        SqlCommand isCustNumbValid = new SqlCommand(query, checkCustNum);
        isCustNumbValid.Parameters.AddWithValue("@custNum", custNumber);

        checkCustNum.Open();
        isCustNumbValid.ExecuteNonQuery();
        checkCustNum.Close();
    }
    catch (SqlException e)
    {
        if (e.Number == 2627) //checks if customer number is registered by activating unique constraint
        {
            canVote = true;
        }
        else //else user is not eligable to vote
        {
            canVote = false;
            MessageBox.Show("invalid customer number, you cannot vote" + e);
        }
    }

}


protected void searchGridView_RowCommand(object sender, GridViewCommandEventArgs e)
{
    canUserVote();//calls this method to check if user is eligable to vote with the given custNum in the textbox

    if (canVote == true && custVoteTextBox.Text.Length == 8) 
    {
        try
        {
            SqlConnection voteDb = new SqlConnection(connectionString);
            {
                switch (e.CommandName)
                {
                    case "Upvote":
                        int index = Convert.ToInt32(e.CommandArgument);
                        GridViewRow selectedRow = searchGridView.Rows[index];

                        string upvoteUpdateQuery = "UPDATE dbo.clientDataTable SET upvote = @upvote WHERE compName = @compName";
                        SqlCommand Upvote = new SqlCommand(upvoteUpdateQuery, voteDb);
                        Upvote.Parameters.AddWithValue("@upvote", "@upvote" + 1);
                        Upvote.Parameters.AddWithValue("@compName", selectedRow.DataItem.Equals("@compName"));

                        string insertQuery = "INSERT INTO dbo.clientDataTable (voted) Values(@voted) WHERE compName = @compName";
                        SqlCommand insertVoterDetailsUpvote = new SqlCommand(insertQuery, voteDb); //inserts voter information into specific entries table
                        insertVoterDetailsUpvote.Parameters.AddWithValue("@voted", custNumber);
                        insertVoterDetailsUpvote.Parameters.AddWithValue("@compName", selectedRow.DataItem.Equals("compName"));

                        voteDb.Open();
                        Upvote.ExecuteNonQuery();
                        voteDb.Close();

                        break;


                    case "Downvote":
                        int downvoteindex = Convert.ToInt32(e.CommandArgument);
                        GridViewRow downvoteSelectedRow = searchGridView.Rows[downvoteindex];

                        string downvoteUpdateQuery = "UPDATE dbo.clientDataTable SET downvote = @downvote WHERE compName = @compName";
                        SqlCommand Downvote = new SqlCommand(downvoteUpdateQuery, voteDb);
                        Downvote.Parameters.AddWithValue("@downvote", "@downvote" + 1);
                        Downvote.Parameters.AddWithValue("@compName", downvoteSelectedRow.DataItem.Equals("@compName"));

                        string downvoteInsertQuery = "UPDATE clientDataTable SET downvote = downvote + 1 WHERE compName = @compName";
                        SqlCommand insertVoterDetailsDownvote = new SqlCommand(downvoteInsertQuery, voteDb); //inserts voter information into specific entries table
                        insertVoterDetailsDownvote.Parameters.AddWithValue("@voted", custNumber);
                        insertVoterDetailsDownvote.Parameters.AddWithValue("@compName", downvoteSelectedRow.DataItem.Equals("@compName"));

                        voteDb.Open();
                        Downvote.ExecuteNonQuery();
                        voteDb.Close();

                        break;
            }

        }

        }

        catch (SqlException exp)
        {
            if (exp.Number == 2627)
            {
                MessageBox.Show("Sorry, you have already voted");
            }
            else
            {
                throw new InvalidOperationException("Sorry, the website is experiencing difficulties, please try again, error: ", exp);
            }

        }
    }
    else
    {
        MessageBox.Show("error, invalid customer number in the Textbox");
    }

}
protected void submitCustNumButton_Click(object sender, EventArgs e)
{
    int custNo = int.Parse(custVoteTextBox.Text);
    this.custNumber = custNo;
}
James S
  • 25
  • 3
  • it seems you don't set canvote to true – HubertL Sep 05 '15 at 00:24
  • Hi, Sorry, i forgot to show that it is set to true by default then only gets set to false when the user doesn't have a customer number – James S Sep 05 '15 at 00:28
  • You don't even seem to execute your query so you probably don't catch no exception – HubertL Sep 05 '15 at 00:35
  • 1
    `UPDATE clientDataTable SET upvote = upvote + 1` will upvote everything in the table , there is no where clause there to limit the rows. You have done exactly the same for down vote as well. Also what is `SELECT custNum INSERT INTO voted WHERE custNum.....` I have never seen this syntax , what are you trying to do here ? – M.Ali Sep 05 '15 at 00:42
  • 1) see edit 2) I am trying to enter the customer number of the user who voted into a table column to record voters and prevent double votes via a unique constraint. Thanks – James S Sep 05 '15 at 01:25
  • You created a `SqlCommand` but you never execute it. – dmeglio Sep 05 '15 at 01:59

1 Answers1

0

I can't tell for sure from your code but it seems that custNumber is a text box and so instead of:

if (canVote == true && custNumber.ToString().Length == 9)

you should have:

if (canVote == true && custNumber.Text.Length == 9)

If I'm wrong and it isn't a text box, put a breakpoint on that line and see what custNumber.ToString() actually equals.

Also note that your code is vulnerable to a SQL injection attack. Here's some interesting reading on the subject. How does the SQL injection from the "Bobby Tables" XKCD comic work?

Community
  • 1
  • 1
StillLearnin
  • 1,391
  • 15
  • 41
  • See edit and no it is not a textbox field but it is a variable assigned from the textbox value. Cheers – James S Sep 06 '15 at 10:48