0

for view:-

here op is my selected value from html dropdown & e is value of a button click.. i just want to pass both two values to my controller from where i can put those in my sql query. how i can pass those two variable in my @UrlAction so i can get those in mycontroller

  function details()

{                                                                                            
 var op; 
var e = document.getElementById("test").Value;

$("mydropdown option").each(function (i) {

  var op = $(this).attr('selected').val();
})

window.open('@UrlAction("UserLayerView", "home", new {layertype = e, layername= op })')
}

for controller:-

public ActionResult UserLyerView(DataTable as dt, String layertype, String layername)
{
string query = "select column name from" + layertype + "Where name =" +layername; 
}
Improve this question
5
  • danger will robinson! never ever concatenate user input into a sql query- I could completely pwn your database server just from the query string - look into SQL parameters; now; what is the question here? does the UrlAction work? (and: shouldn't that be Url.Action(...)?) does it give the right result? what happens when the window.open fires? basically: in what way do your expectation and reality differ? Commented Nov 21, 2017 at 9:08
  • no UrlAction is not working Commented Nov 21, 2017 at 9:10
  • and what does "is not working" mean here? is it failing with a compilation error? is it giving the wrong result? is it throwing an exception at runtime? Did you try Url.Action(...) instead of UrlAction(...)? Commented Nov 21, 2017 at 9:11
  • I so want to search for layer name and 1=0; drop table users; -- Commented Nov 21, 2017 at 9:18
  • Side note: Concatenating query string is not a good thing since it induces SQL injection attempt - use parameterized query instead. Also you can't use client-side variable concatenation inside Url.Action - it should be using query string like this: window.open('@Url.Action("UserLayerView", "Home")' + '?layertype=' + e + '&layername=' + op). Commented Nov 21, 2017 at 9:26

1 Answer 1

Reset to default
1

You are mixing client-side and server-side code. The e and op variables are client-side javascript; Url.Action is server-side razor code. You cannot use client-side variables in a server-side operation, because they don't exist yet (and when they do: Url.Action will make no sense). So; you'll have to build the url manually and dynamically via concatenation. You could also set inputs on a hidden form (perhaps action="get") and submit that.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.