1

I try to make a little webshop with asp.net and c# webapplication. Therefor I already have one page done. If someone selects an item that value will be inserted in a cookie that i can use on a different page to show whats in the "shoppingcart". Iam putting that value in a string so I can read the value but it wont work.

I tried to use In cause and Like between "%value%".

roll1 = Request.Cookies["aStudentCookies"]["id"] + "<br>";
///(The value of roll1 will look like: roll1 = "1,2,34,45,123,56";)

 sql = " SELECT Naam, Prijs, GerechtId from[1A-Gerecht] WHERE GerechtId IN roll1";

It keeps telling incorrect syntax for variable roll1.

marcel9933
  • 11
  • 1
  • I have questions about how you're running this query against the database. But specifically your problem here is that you're referencing the string name in the string itself. You want `sql = " SELECT Naam, Prijs, GerechtId from[1A-Gerecht] WHERE GerechtId IN " + roll1;` or `sql = $" SELECT Naam, Prijs, GerechtId from[1A-Gerecht] WHERE GerechtId IN {roll1}";` – muttley91 Jun 03 '19 at 15:23
  • @muttley91 No, you definitely **don't** want that. That would open up the application to a SQL Injection attack. That's incredibly dangerous. You should be very careful inserting user supplied values into your queries (as in, just don't do it). – mason Jun 03 '19 at 15:24
  • @muttley91 You should make it an answer so you can format the code properly – Juan Carlos Oropeza Jun 03 '19 at 15:24
  • @mason That's what I meant by my first comment, I don't know how this query is being processed. It's very concerning for that reason. – muttley91 Jun 03 '19 at 15:26
  • @JuanCarlosOropeza I didn't make it an answer as I don't think it's the complete right answer, the query should be parameterized differently. – muttley91 Jun 03 '19 at 15:26
  • @muttley91 I specifically don't want you to make an answer here, that's why I closed this question. There's already a question and answer for how to do this properly. If you know how to do it properly (securely!) and your approach is different an existing answer, then you can add it to the question I closed this as a duplicate of. – mason Jun 03 '19 at 15:33
  • probably need something like this to avoid sql injection. https://stackoverflow.com/questions/9384446/how-to-pass-sqlparameter-to-in – Juan Carlos Oropeza Jun 03 '19 at 15:33
  • @JuanCarlosOropeza I already closed this as a duplicate of that question. – mason Jun 03 '19 at 15:33
  • @mason I saw that, I was also looking for a duplicate and didnt refresh the page – Juan Carlos Oropeza Jun 03 '19 at 15:38

0 Answers0