Datagrid rowcommand shows incorrect value after my search result

Question

0.00/5 (No votes)

See more:

Hello everyone,
My project seems simple. My form populates a datagrid on load (from a database)
I have a search button which works and I can now filter the results.
I also have an onRowCommand which, for now just shows the details of the the selected row.
However, at page load, it seems fine, i can check the details without problem. But, when I do a search. it shows me a different value.
for example.

Hinata [View]
Sakura [View]
Tenten [View]

if search "n"
the result is

Hinata [View]
Tenten [View]

but when i click View of Tenten - It shows SAKURA :(

My Form

VB

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
             
        If Not Me.IsPostBack Then
            Me.BindGrid("")
        End If

        End Sub

VB

Hello Again,
I kinda cleaned my code a bit. I also used a viewstate.. but I still get the error.
<pre lang="vb">
Protected Sub lnkSearch_Click(sender As Object, e As EventArgs) Handles lnkSearch.Click
        Dim strSearch As String
        
        strSearch = "SELECT Fid,RealName,Department FROM tblUsers" &
                                    " WHERE RealName LIKE '%" & txtName.Text & "%'"

        Dim constring As String = "Data Source=LOCALHOST\SQLEXPRESS;Initial Catalog=dbTOD_Sql;Integrated Security=True"
        Using con As New SqlConnection(constring)
            Using cmd As New SqlCommand(strSearch, con)
                cmd.CommandType = CommandType.Text
                Using sda As New SqlDataAdapter(cmd)
                    Using dt As New DataTable()
                        sda.Fill(dt)

                        'Set AutoGenerateColumns False
                        GridView1.AutoGenerateColumns = False

                        'First time knowing ViewState. HOpe this works
                        ViewState("vsTable") = dt
                        'Reading the viewstate values.
                        Dim dt2 As DataTable = DirectCast(ViewState("vsTable"), DataTable)
                        GridView1.DataSource = dt2
                        GridView1.DataBind()
                    End Using
                End Using
            End Using
        End Using
    End Sub
</pre>

Protected Sub GridView1_RowCommand(sender As Object, e As GridViewCommandEventArgs)

Dim rowIndex As Integer = Convert.ToInt32(e.CommandArgument)
Dim row As GridViewRow = GridView1.Rows(rowIndex)

'Access Cell values.
Dim customerId As Integer = Integer.Parse(row.Cells(0).Text)
Dim name As String = row.Cells(1).Text
MsgBox (name) 'just for testing
End Sub

What I have tried:

Edited: I tried Viewstate as suggested but I still get the error.

I tried selectedIndexChange but, I still get the same results. I did Computer restarts hoping it was just a bug and a refresh would make the problem go away.
I am lost. I don't know what to do anymore.

Posted 1-Aug-16 0:56am

Cute Girly Geek

Updated 1-Aug-16 17:40pm

v2

Add a Solution

Comments

Richard Deeming 1-Aug-16 10:02am

strSelectCmd = "SELECT Fid,Realname,,Department,Email FROM tblPerson" & " WHERE Department = '" & SelectedGroup & "'"

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

You already know how to use parameters - you've done the right thing in lnkSearch_Click. :)

Cute Girly Geek 1-Aug-16 22:41pm

Sorry I pasted the wrong lnkSearch_Click.. It's like the BindGrid() Routine but with str = "Select * FROM tblUsers WHERE Username LIKE '%" & txtName.txt & "%'"

Thank you for your response btw, I promise to be a good girl and will study and implement parameterized query after I get all my needed functions. Will clean code afterwards. Thanks again :)

Richard Deeming 2-Aug-16 8:46am

Fixing the SQLi is fairly simple:

Const strSearch As String = "SELECT Fid,RealName,Department FROM tblUsers WHERE RealName LIKE '%' + @Name + '%'"
...
Using cmd As New SqlCommand(strSearch, con)
   cmd.CommandType = CommandType.Text
   cmd.Parameters.AddWithValue("@Name", txtName.Text)
   ...

There's no need to store the results in ViewState - the GridView already takes care of that for you.

What does the .aspx markup look like for the grid?

Cute Girly Geek 11-Aug-16 23:14pm

Thank you Mr. Richard.. Sorry for the late reply.. its the design of my form that is... I think is at fault.. I tried everything to be done in one form. (nilesh sawardekar was right at that).. So I just created a new form for my search and it was working. Though I would really love to get an example of viewstate. Thanks again. :)

Cute Girly Geek 11-Aug-16 23:14pm

Thank you Mr. Richard.. Sorry for the late reply.. its the design of my form that is... I think is at fault.. I tried everything to be done in one form. (nilesh sawardekar was right at that).. So I just created a new form for my search and it was working. Though I would really love to get an example of viewstate. Thanks again. :)

Richard Deeming 1-Aug-16 10:04am

Are you sure the code you've shown us gives you the results you've shown?

The query in lnkSearch_Click won't filter the grid, and doesn't look like it would match the two records you've shown.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

nilesh sawardekar · Answer 1 · 2016-08-01T02:05:00

Solution 1

Check your user1 value. if your using same page for all things which you have mentioned then use viewstate[]

Posted 1-Aug-16 2:05am

nilesh sawardekar