Click here to Skip to main content
15,441,149 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
I am using CascadingDropDown control of Ajax to bind DDL country and depending on selection of country bind another DDL State.
In Web Services is:-
[WebMethod]
public CascadingDropDownNameValue[] GetCountryCDD()
{
List<string> names = new List<string>();
string str = @"select * from (select 0 tID, '<--Select-->' Name union SELECT tID, Name FROM M_Country) AS T ORDER BY Name";
DataTable dt = new DataTable();
dt = SQL_DBCS.ExecuteDataTable(str);

List<cascadingdropdownnamevalue> CountryDet = new List<cascadingdropdownnamevalue>();
foreach (DataRow dtrow in dt.Rows)
{
string EcCountryId = dtrow["tID"].ToString();
string EcCountry = dtrow["Name"].ToString();
CountryDet.Add(new CascadingDropDownNameValue(EcCountry, EcCountryId));
}
return CountryDet.ToArray();

}

AND


[WebMethod]
public CascadingDropDownNameValue[] GetStateCDD(string knownCategoryValues, string category)
{

String countryID;
StringDictionary CountryDic = AjaxControlToolkit.CascadingDropDown.ParseKnownCategoryValuesString(knownCategoryValues);
countryID = Convert.ToString(CountryDic["C"]);

string str = @"select * from (select 0 tID, '<--Select-->' Name union SELECT tID, Name FROM M_State WHERE CountryID=" + countryID + ") AS T ORDER BY Name";
DataTable dt = new DataTable();
dt = SQL_DBCS.ExecuteDataTable(str);

List<cascadingdropdownnamevalue> Statedetails = new List<cascadingdropdownnamevalue>();
foreach (DataRow dtrow in dt.Rows)
{
string EcStateId = dtrow["tID"].ToString();
string EcState = dtrow["Name"].ToString();
Statedetails.Add(new CascadingDropDownNameValue(EcState, EcStateId));
}
return Statedetails.ToArray();
}

This is working as desired. But I want to know when to use EnableSession = true. what is harm in not using it.
Posted
Comments
Richard Deeming 13-Oct-15 8:48am     CRLF
Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

1 solution

If your web method doesn't need the Session then you don't need to set it. When EnableSession is true your webmethod runs in the same Session that the web pages do, so can access\update Session values.
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900