Click here to Skip to main content
16,019,140 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hello everyone,
My project seems simple. My form populates a datagrid on load (from a database)
I have a search button which works and I can now filter the results.
I also have an onRowCommand which, for now just shows the details of the the selected row.
However, at page load, it seems fine, i can check the details without problem. But, when I do a search. it shows me a different value.
for example.

Hinata [View]
Sakura [View]
Tenten [View]

if search "n"
the result is


Hinata [View]
Tenten [View]

but when i click View of Tenten - It shows SAKURA :(

My Form
VB
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
             
        If Not Me.IsPostBack Then
            Me.BindGrid("")
        End If

        End Sub


VB
Hello Again,
I kinda cleaned my code a bit. I also used a viewstate.. but I still get the error.
<pre lang="vb">
Protected Sub lnkSearch_Click(sender As Object, e As EventArgs) Handles lnkSearch.Click
        Dim strSearch As String
        
        strSearch = "SELECT Fid,RealName,Department FROM tblUsers" &
                                    " WHERE RealName LIKE '%" & txtName.Text & "%'"

        Dim constring As String = "Data Source=LOCALHOST\SQLEXPRESS;Initial Catalog=dbTOD_Sql;Integrated Security=True"
        Using con As New SqlConnection(constring)
            Using cmd As New SqlCommand(strSearch, con)
                cmd.CommandType = CommandType.Text
                Using sda As New SqlDataAdapter(cmd)
                    Using dt As New DataTable()
                        sda.Fill(dt)

                        'Set AutoGenerateColumns False
                        GridView1.AutoGenerateColumns = False

                        'First time knowing ViewState. HOpe this works
                        ViewState("vsTable") = dt
                        'Reading the viewstate values.
                        Dim dt2 As DataTable = DirectCast(ViewState("vsTable"), DataTable)
                        GridView1.DataSource = dt2
                        GridView1.DataBind()
                    End Using
                End Using
            End Using
        End Using
    End Sub
</pre>



Protected Sub GridView1_RowCommand(sender As Object, e As GridViewCommandEventArgs)

Dim rowIndex As Integer = Convert.ToInt32(e.CommandArgument)
Dim row As GridViewRow = GridView1.Rows(rowIndex)

'Access Cell values.
Dim customerId As Integer = Integer.Parse(row.Cells(0).Text)
Dim name As String = row.Cells(1).Text
MsgBox (name) 'just for testing
End Sub

What I have tried:

Edited: I tried Viewstate as suggested but I still get the error.

I tried selectedIndexChange but, I still get the same results. I did Computer restarts hoping it was just a bug and a refresh would make the problem go away.
I am lost. I don't know what to do anymore.
Posted
Updated 1-Aug-16 17:40pm
v2
Comments
Richard Deeming 1-Aug-16 10:02am    
strSelectCmd = "SELECT Fid,Realname,,Department,Email FROM tblPerson" & " WHERE Department = '" & SelectedGroup & "'"

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

You already know how to use parameters - you've done the right thing in lnkSearch_Click. :)
Cute Girly Geek 1-Aug-16 22:41pm    
Sorry I pasted the wrong lnkSearch_Click.. It's like the BindGrid() Routine but with str = "Select * FROM tblUsers WHERE Username LIKE '%" & txtName.txt & "%'"

Thank you for your response btw, I promise to be a good girl and will study and implement parameterized query after I get all my needed functions. Will clean code afterwards. Thanks again :)
Richard Deeming 2-Aug-16 8:46am    
Fixing the SQLi is fairly simple:

Const strSearch As String = "SELECT Fid,RealName,Department FROM tblUsers WHERE RealName LIKE '%' + @Name + '%'"
...
Using cmd As New SqlCommand(strSearch, con)
   cmd.CommandType = CommandType.Text
   cmd.Parameters.AddWithValue("@Name", txtName.Text)
   ...


There's no need to store the results in ViewState - the GridView already takes care of that for you.

What does the .aspx markup look like for the grid?
Cute Girly Geek 11-Aug-16 23:14pm    
Thank you Mr. Richard.. Sorry for the late reply.. its the design of my form that is... I think is at fault.. I tried everything to be done in one form. (nilesh sawardekar was right at that).. So I just created a new form for my search and it was working. Though I would really love to get an example of viewstate. Thanks again. :)
Cute Girly Geek 11-Aug-16 23:14pm    
Thank you Mr. Richard.. Sorry for the late reply.. its the design of my form that is... I think is at fault.. I tried everything to be done in one form. (nilesh sawardekar was right at that).. So I just created a new form for my search and it was working. Though I would really love to get an example of viewstate. Thanks again. :)

1 solution

Check your user1 value. if your using same page for all things which you have mentioned then use viewstate[]
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900