Click here to Skip to main content
14,454,912 members
Rate this:
Please Sign up or sign in to vote.
See more:
sqlconnection con = new sqlconnection();
sqlcommand cmd = new sqlcommand();

click on button();
{
con.open();
cmd= new sqlcommand("select * from product where prod_id='"+txtboxprod_id.text+"'",con);
sqldatareader sdr= cmd.executereader();
if(sdr.read())
{
txtboxpartyid.text=(sdr["party_id"].tostring());
}
con.close();
}

//About query retrieve data into a textbox party_id when i entered a product id into a textbox prod_id please give me a solution by using 3 layer architecture in asp.net c#

What I have tried:

i have tried lots of things but i have problem with datareader and and i have no idea how can i call BA Layer data into main page.
i have used a different files 3 layer architeture.
DA Layer
BE Layer
BA Layer
Main page
Posted
Updated 13-Feb-20 1:45am

1 solution

Rate this:
Please Sign up or sign in to vote.

Solution 1

Forget trying to split it up for the moment - that's not a subject for a little text box like this anyway - and fix your whole app first: it has a major problem.

Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
DROP TABLE MyTable;
A perfectly valid "delete the table" command
--'
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100