Filtering Listview by Dropdownlists

Question

0.00/5 (No votes)

See more:

In my application i have ask my friend to help me with coding the filtering tools but we got stock in some parts, so i need your kind support guys to help me with updating my code below such as "var query = query + " where " + conditions;" also "string conditions = "";" we dont have that big experience in c# so for that i refer to you guys if you need more explanation the below youtube link will give more info please check it

https://www.youtube.com/watch?v=nh5fbBuUeOE

C#

protected void Sortcarbtn_Click(object sender, EventArgs e)
        {

            if (Session["location"] != null)
            {

                using (SqlConnection CarsortCon = new SqlConnection(cs))
                {

                    string maker = (barndcardrlst.SelectedIndex > 0) ? barndcardrlst.SelectedValue : null;
                    string yearfrom = (CarYearfrmDrDw.SelectedIndex > 0) ? CarYearfrmDrDw.SelectedValue : null;
                    string yearto = (CarYeartoDrDw.SelectedIndex > 0) ? CarYeartoDrDw.SelectedValue : null;
                    string gearddl = (GearDrDw.SelectedIndex > 0) ? GearDrDw.SelectedValue : null;
                    string CarCond = (CarCondDrDw.SelectedIndex > 0) ? CarCondDrDw.SelectedValue : null;
                    string prisfrom = (CarPriceFrmDrDw.SelectedIndex > 0) ? CarPriceFrmDrDw.SelectedValue : null;
                    string pristo = (CarPriceToDrDw.SelectedIndex > 0) ? CarPriceToDrDw.SelectedValue : null;
                    string Contrddl = (countrdrdolst.SelectedIndex > 0) ? countrdrdolst.SelectedValue : null;
                    string statddl = (statedrdolst.SelectedIndex > 0) ? statedrdolst.SelectedValue : null;
                    string cityddl = (citiesdrdolst.SelectedIndex > 0) ? citiesdrdolst.SelectedValue : null;


                    string query = (@"select * from ads where Category = @Category 
                    AND Country = @Country AND Maker=@brand AND Gear=@G AND Condition=@COND AND Year >@startYear and Year <@endYear");

                    var location = Convert.ToString(Session["location"]);
                    var cat = Convert.ToString(Request.QueryString["cat"]);


                    string conditions = "";


                    if (maker != null) conditions += " maker like '%" + maker + "%' ";

                    if (yearfrom != null) conditions += " and year > " + yearfrom;

                    if (yearto != null) conditions += " and year < " + yearto;

                    if (gearddl != null) conditions += " and gear = '%" + gearddl + "%' ";

                    if (CarCond != null) conditions += " Condition = '%" + CarCond + "%' ";

                    if (prisfrom != null) conditions += " and price > " + prisfrom;

                    if (pristo != null) conditions += " and price < " + pristo;

                    if (Contrddl != null) conditions += " Country = '%" + Contrddl + "%' ";

                    if (statddl != null) conditions += " State = '%" + statddl + "%' ";

                    if (cityddl != null) conditions += " City = '%" + cityddl + "%' ";



                    var query = query + " where " + conditions;


                    CarsortQ.Fill(CarsortDataSet);

                    cateshowlistview.DataSource = CarsortDataSet.Tables[0];
                    cateshowlistview.DataBind();

                }

            }
        }

Posted 2-Aug-14 7:13am

Member 10690878

Add a Solution

Comments

[no name] 5-Aug-14 6:39am

Wow, second consecutive question I've come across this morning with SQL injection vulnerabilites!

You should *NEVER* be doing this: if (maker != null) conditions += " maker like '%" + maker + "%' ";

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

User 10132546 · Accepted Answer · 2014-08-05T00:47:00

Solution 1

Take a look at this article: ADO.NET, the right way[^]

The section applicable to what you're looking for starts at "Querying using parameterized queries".

Posted 5-Aug-14 0:47am

User 10132546