Click here to Skip to main content
15,904,494 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
hi here is my code.


protected void Search_Click(object sender, ImageClickEventArgs e)
   {


       SearchFacultyPL stPL = new SearchFacultyPL();
       stPL.RoomNo = ddlSemister.SelectedValue;
       stPL.ExamDate = ddlDate.SelectedValue;
       stPL.eSession = ddlSession.SelectedValue;


       //stPL.aNo = ddlAno.SelectedValue;


       SearchFacultyBLL stBLL = new SearchFacultyBLL();
       DataTable dt = new DataTable();
       dt = stBLL.SearchRoomDetails(stPL);

       if (dt.Rows.Count > 0)
       {
          grdTimeTable.DataSource = dt;
           grdTimeTable.DataBind();
       }


       if (connection.State!= ConnectionState.Open)
       {
           connection.Close();
       }
       connection.Open();

       SqlCommand cmd5 = new SqlCommand();
       SqlDataReader dr5;
       cmd5.Connection = connection;
       cmd5.CommandText = "select facultycode from fAllotmentTab where RoomNo='" + ddlSemister.SelectedValue + "' and ExamDate='" + ddlDate.SelectedValue + "' and eSession='" + ddlSession.SelectedValue + "'";
       dr5 = cmd5.ExecuteReader();



       //if (dr5.Read())
       //{
       //    labelmsg.Text = "Alloted Faculty : " + dr5.GetValue(0).ToString();
       //}
       //else { labelmsg.Text = "Alloted Faculty : "; }
       labelmsg.Text = (dr5.Read()) ? "Alloted Faculty : " + dr5.GetValue(0).ToString() : "Alloted Faculty : ";

when i search and i want to display that faculty name to that label.but its not displaying can any one suggest me?
Posted

1 solution

First of all, you need to run this code under debugger and see what is returned in data reader. Why do you assume there is only one record? I cannot see the returned data set because I don't have you database and don't even know its schema. For you, this is easy to pin-point.

What's more important, you do a big mistake in your query. You compose a query using repeated string concatenation. This is already bad, because strings are immutable. You could use string.Format to solve this problem, but even that would be not good enough in your case. The problem is: you are composing the query based on the UI input. You should never ever do it because this is too dangerous from the security standpoint. It is too easy to input not just data (room number or data), but also any fragment of SQL code. This is called SQL injection and is a very well-known exploit. Please see:
http://en.wikipedia.org/wiki/SQL_injection[^].

Also, the string data is untyped, and the performance can be a problem. Look at the article referenced above and read about the importance of parametrized statements. With ADO.NET, you should always use parametrized commands:
http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx[^].

[EDIT]

You cannot use the data reader this way. You should do something like:
C#
if (dr5.HasRows) {
   dr5.Read();
   var someValue = dr5["myColumnName"];
   if (!DBNull.Value.Equals(someValue) {
       string someStringValue someValue as string;
       if (!string.IsNullOrEmpty(someStringValue) ...
   } //if
} //if


But why do you think there is only one row in the data set? Usually the data reader is used to read to the very end.

—SA
 
Share this answer
 
v5
Comments
ythisbug 16-Mar-12 13:42pm    
hi lablemsg is coming null.
Sergey Alexandrovich Kryukov 16-Mar-12 14:05pm    
Sorry, there is no such name in your code.
--SA
Sergey Alexandrovich Kryukov 16-Mar-12 14:06pm    
Oh, I see. You cannot mix up data reader with string...
--SA
ythisbug 16-Mar-12 13:43pm    
hi can u suggest me more about tat code.where is the mistake.tom i have to submit my project.
Sergey Alexandrovich Kryukov 16-Mar-12 14:04pm    
Please read about parametrized command and how the parameters are substituted.
--SA

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900