Click here to Skip to main content
15,567,466 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Order.aspx
<div><asp:Image ID="Image1" runat="server" ImageUrl='Images/ProductImages/<%# Eval("Extention") %>'  Height="100" Width="100"></asp:Image></div>





Order.aspx.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;
using System.Data.SqlClient;
using System.Configuration;
using System.Globalization;
using System.Threading;

public partial class OrderHistory : System.Web.UI.Page
{
    SqlConnection con = new SqlConnection(@"Data Source=.\SQLEXPRESS;Initial Catalog=KalzAgency;Integrated Security=true");
    public static String CS = ConfigurationManager.ConnectionStrings["KalzAgency"].ConnectionString;
    
    protected void Page_Load(object sender, EventArgs e)
    {
        if (Session["USERNAME"] != null)
        {
            if (!IsPostBack)
            {
                this.BindProductImage();
            }
            
            string id = Session["UserID"].ToString();

        con.Open();
        SqlCommand cmd = con.CreateCommand();
        cmd.CommandType = CommandType.Text;
        cmd.CommandText = "SELECT * FROM tblOrderProducts WHERE UserID = '" + id + "'";
        cmd.ExecuteNonQuery();
        DataTable dt = new DataTable();
        SqlDataAdapter da = new SqlDataAdapter(cmd);
        da.Fill(dt);
        r2.DataSource = dt;
        r2.DataBind();
      

        con.Close();

        }

        else
        {
            Response.Redirect("~/SignIn.aspx");
        }

      


    }

    private void BindProductImage()
    {
        Int64 PID = Convert.ToInt64(Request.QueryString["PID"]);
        Int64 extention = Convert.ToInt64(Request.QueryString["Extention"]);
        using (SqlConnection con = new SqlConnection(CS))
        {
            SqlCommand cmd = new SqlCommand("BindProductImages", con)
            {
                CommandType = CommandType.StoredProcedure
            };
            cmd.Parameters.AddWithValue("@PID", PID);
            cmd.Parameters.AddWithValue("@Extention", extention);
            using (SqlDataAdapter sda = new SqlDataAdapter(cmd))
            {
                DataTable dt = new DataTable();
                sda.Fill(dt);
                r2.DataSource = dt;
                r2.DataBind();
            }
        }
    }




The Stored Procedure
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
ALTER PROCEDURE [dbo].[BindProductImages]
(
@PID int,
@Extention nvarchar(500)
)
AS
SELECT * FROM tblProductImages where PID = @PID


What I have tried:

The output from tblOrderProducts successfully display, but the image does not display anything. How can i solve this?
Posted
Updated 26-Apr-21 0:19am
v2

1 solution

Try this:
ASP.NET
<asp:Image ID="Image1" runat="server" ImageUrl='<%# Eval("Extention", "Images/ProductImages/{0}") %>'  Height="100" Width="100"/>

Quote:
C#
cmd.CommandText = "SELECT * FROM tblOrderProducts WHERE UserID = '" + id + "'";
Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

Quote:
SQL
SELECT * FROM tblProductImages where PID = @PID
Don't use SELECT * FROM; instead, explicitly list the columns you want to load.
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900