2

I am trying to create a search box in my application, in order to do so i need to modify the SqlDataSource.SelectCommand. I will appreciate any help!

For testing I did it like this, it works but it is vulnerable for sql injection

   SqlDataSource1.SelectCommand = "sp_offer_search '" + txtSearch.Text + "', " +   Session["customerId"] + " , '" + "Pending"+ "'";
   GridView1.DataBind();

This is What I tried so far but it is not working:

 if (txtSearch.Text != "")
        {                
         //open connection
          oCn.Open();
          SqlCommand com = new SqlCommand(query, oCn);
          com.CommandType = CommandType.StoredProcedure;

          com.Parameters.AddWithValue("@Variable", txtSearch.Text);  
          com.Parameters.AddWithValue("@CustomerId",Session["customerId"]);   
          com.Parameters.AddWithValue("@Status", txtStatus.Text);   


            DataTable dt = new DataTable();
            dt.Load(com.ExecuteReader());

            SqlDataSource1.SelectCommand = dt.ToString();
            GridView1.DataBind();
       }
Improve this question
4
  • Exactly how does it now work? Do you get an error, or incorrect returns, or nothing returned? Something else? Commented Jan 2, 2015 at 16:28
  • it doesn't return anything, it like it doesn't find a match Commented Jan 2, 2015 at 16:29
  • 1
    You should check out Can we stop using AddWithValue() already? and stop using .AddWithValue() - it can lead to unexpected and surprising results... Commented Jan 2, 2015 at 16:35
  • Marc_s thank you for the hands up. I did not know that. Commented Jan 2, 2015 at 16:40

2 Answers 2

Reset to default
5

If the GridView datasource is set to the SqlDataSource1 then you don't need the DataTable. And a DataTable.ToString() is not a selectCommand. Try:

 if (txtSearch.Text != "")
    {                        
      SqlCommand com = new SqlCommand(query, oCn);
      com.CommandType = CommandType.StoredProcedure;

      com.Parameters.AddWithValue("@Variable", txtSearch.Text);  
      com.Parameters.AddWithValue("@CustomerId",Session["customerId"]);   
      com.Parameters.AddWithValue("@Status", txtStatus.Text);   

      SqlDataSource1.SelectCommand = com;
      GridView1.DataBind();
   }
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Hi Crowcoder, "com" is returning System.Data.SqlClient.SqlCommand and is causing an error:'System.Data.SqlClient.SqlCommand' is not supported in this version of SQL Server any ideas?
What is your database?
we are using SQL Azure
I've only used EntityFramework against SQL Azure. I found this (axian.com/2014/12/01/adjustments-for-sql-azure-no-ole-db) that implies the ADO.Net OleDB provider might work. But if you are going to switch the provider I would suggest EntityFramework.
0

Solved ! Here is what I tried and it works. I hope this can b helpful for someone.

  if (txtSearch.Text != "")
        {
            try
            {
                //  open connection
                oCn.Open();

                SqlDataAdapter da = new SqlDataAdapter("sp_offer_search", oCn);

                da.SelectCommand.CommandType = CommandType.StoredProcedure;
                da.SelectCommand.Parameters.Add("@Variable", SqlDbType.VarChar).Value = txtSearch.Text;
                da.SelectCommand.Parameters.Add("@CustomerId", SqlDbType.Int).Value = Session["customerId"];
                da.SelectCommand.Parameters.Add("@Status", SqlDbType.VarChar).Value = "Pending";

                DataTable dt = new DataTable();
                da.Fill(dt);
                GridView1.DataSourceID = String.Empty;
                GridView1.DataSource = dt;
                GridView1.DataBind();

            }
            catch(Exception ex)
            {
                Response.Write(ex.ToString());
            }
            finally
            {
                oCn.Close();
            }

        }
        else
        {
            GridView1.DataSourceID = "SqlDataSource1";
            SqlDataSource1.SelectCommand = SqlDataSource1.SelectCommand;
            GridView1.DataBind();
        }
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.