Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.
Amer Amer wrote:
Dim sqlcom As New SqlCommand("select bookcontent,bookname from books where bookn=" & Page.RouteData.Values("bookn").ToString & "", conn)
Dim ds As New DataTable
Using sqlcom As New SqlCommand("select bookcontent,bookname from books where bookn = @bookn", conn)
Dim da As New SqlDataAdapter(sqlcom)
If ds.Rows.Count <> 0 Then
Dim filename As String = ds.Rows(0).Field(Of String)("bookcontent")
Dim fff As String = ds.Rows(0).Field(Of String)("bookname")
Dim fileInfo As FileInfo = New FileInfo(filename)
If fileInfo.Exists Then
Response.ContentType = "application/pdf"
Response.AddHeader("Content-Disposition", "inline; filename=""" & fff & ".pdf" & """")
End IfEverything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
As already mentioned, this is the only way to send the file to the user. IIS is pretty good at handling file transfers; requests from other users shouldn't be blocked whilst the file is downloading.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
General News Suggestion Question Bug Answer Joke Praise Rant Admin
Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.