Inserting values into a database from a grid 2

[StevenB]

Hi folks, thanks to everyone's kind help, my little app is moving forward, and I'm back with another newbish question.

After much finagling with MapPath and so forth, I've written a sub that successfully writes data to my database when one of my radio voting buttons is clicked, yay!

Where I'm stuck now is this:

One of the values I want to insert into the database is stored in a boundfield in a grid view on the page. Specifically, on the page I am displaying this grid:

        <asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="False" DataSourceID="AccessDataSource1">
            <Columns>
                <asp:BoundField DataField="SuggestionID" HeaderText="SuggestionID" InsertVisible="False"
                    SortExpression="SuggestionID" />
                <asp:BoundField DataField="CategoryName" HeaderText="CategoryName" SortExpression="CategoryName" />
                <asp:BoundField DataField="Suggestion" HeaderText="Suggestion" SortExpression="Suggestion" />
                <asp:BoundField DataField="Suggester" HeaderText="Suggester" SortExpression="Suggester" />
                <asp:HyperLinkField DataNavigateUrlFields="URL" DataTextField="URL" HeaderText="URL" target="_blank"/>
                <asp:BoundField DataField="Priority" HeaderText="Priority" SortExpression="Priority" />
            </Columns>
        </asp:GridView>

I want to insert whatever value is in the "SuggestionID" bound field as one of the values in my insert statement, which looks something like this:

myCommand.CommandText = "insert into Votes(SuggestionID,VoteValue,IP) values('1','10','" & Request.UserHostAddress & "')"

Basically, I want to replace that hard-coded '1' in the SQL statement with the Suggestion ID.

The second value I want to insert ('10' in the code above) should actually be the value of whichever radio button was clicked to cause this sub to run, but I can't figure out how to do those two things.

The radio button list looks like this:

            <asp:RadioButtonList ID="VoteList" runat="server" RepeatDirection="Horizontal" AutoPostBack="True" OnSelectedIndexChanged="VoteList_SelectedIndexChanged" BackColor="#E0E0E0" BorderColor="#404040" BorderStyle="Solid" BorderWidth="2px">
                <asp:ListItem Value="1">1</asp:ListItem>
                <asp:ListItem Value="2">2</asp:ListItem>
                <asp:ListItem Value="3">3</asp:ListItem>
                <asp:ListItem Value="4">4</asp:ListItem>
                <asp:ListItem Value="5">5</asp:ListItem>
                <asp:ListItem Value="6">6</asp:ListItem>
                <asp:ListItem Value="7">7</asp:ListItem>
                <asp:ListItem Value="8">8</asp:ListItem>
                <asp:ListItem Value="9">9</asp:ListItem>
                <asp:ListItem Value="10">10</asp:ListItem>
            </asp:RadioButtonList>

Thoughts?

Thanks!

Steve

 

[ca8msm]

Before you go any further, it may be wise to look into SQL Injection as your application may be susceptible to this if you don't use SQL Parameters. There's various MSDN articles that discuss how to use them, such as this one:

http://msdn2.microsoft.com/en-us/library/system.data.sqlclient.sqldataadapter.insertcommand.aspx

____________________________________________________________
Mark,
[URL unfurl="true"]http://aspnetlibrary.com[/url]

Need help finding an answer? Try the Search Facility or read FAQ222-2244.

 

[StevenB]

Thanks, as always.

I'm curious, and it wasn't quite clear from reading that article. Is SQL injection still a risk if there is no user input?

For example, my application has no user input other than a radio button. Would it still be succeptible to SQL injection?

Not that I'm terribly concerned about it. This is a very low-key application that wouldn't be a big problem if a hacker ruined it anyway.

But still, good information, and I'll look into revising the insert to use SQL Parameters.

Thanks!

Steve

 

[ca8msm]

Yes, it's still a possibility but the hacker would have to go to slightly more trouble (i.e. they would have save the HTML to their PC, add their own option with the Injection in it and then post the form to your page).

Whilst it may not be a major application, would it matter if you lost all your data? If this does matter, then it's something I would do. Plus, it's always good to start getting into good habits early on


____________________________________________________________
Mark,
[URL unfurl="true"]http://aspnetlibrary.com[/url]

Need help finding an answer? Try the Search Facility or read FAQ222-2244.

 

[StevenB]

OK, thanks for clarifying that! I'm certainly all for learning good coding practices. Well, I can play around with that while I wait to see if someone answers my original questions in this thread.

 

[ca8msm]

If you use Parameters, it kind of changes the original question a bit (which I why I hadn't directly answered it). Retrieving the value will be the same method, but adding them won't.

Is the user just selecting one row from the GridView, and you want to use the SuggestionID of that particular row? If so, you could use:

GridView1.SelectedRow.Cells(0).Text

To get a reference to the SuggestionID, and:

VoteList.SelectedItem.Value

to get the VoteValue.



____________________________________________________________
Mark,
[URL unfurl="true"]http://aspnetlibrary.com[/url]

Need help finding an answer? Try the Search Facility or read FAQ222-2244.

 

[StevenB]

OK, let me try to explain it a little better. Apologies.

The general idea is that when a user comes to the page, the page displays a single "suggestion" to the user, in a grid. The user then votes on the suggestion ("Do I like this suggestion, or not?") by clicking on a radio button. The vote is saved to the database, and the page refreshes and displays a new suggestion. Rinse and repeat from there.

So, at any given time, there is only one suggestion displayed on the screen, and when we insert the vote into the database, we want to insert the suggestion ID of that suggestion.

Does that help? So, I don't think the user is "selecting" anything in the grid. It's just read-only information on the screen.

I could post a screenshot of the work in progress if that would help!

Thanks, as always!

Steve

 

[ca8msm]

How do you know which record to display in the GridView? Using that same methodology, you should be able to use that value and use the method I suggested above for getting the selected radio button.


____________________________________________________________
Mark,
[URL unfurl="true"]http://aspnetlibrary.com[/url]

Need help finding an answer? Try the Search Facility or read FAQ222-2244.

 

[StevenB]

Hey ca8msm,

Just by fiddling around in a different way when I created the data grid, the connection to the database I used looks like this:

        <asp:AccessDataSource ID="AccessDataSource1" runat="server" DataFile="C:\Documents and Settings\sbattisti\My Documents\Visual Studio 2005\Projects\OOTPSuggestions\OOTPSuggestions.mdb"
            SelectCommand="SELECT [SuggestionID], [CategoryName], [Suggestion], [Suggester], [URL], [Priority] FROM [SuggestionInfo] WHERE ([SuggestionID] = ?)">
            <SelectParameters>
                <asp:Parameter DefaultValue="1" Name="SuggestionID" Type="Int32" />
            </SelectParameters>
        </asp:AccessDataSource>

Is this the sort of approach that is better practice and proof against SQL Injection? It's not specifically the same as the stuff in the link you provided, but it's certainly, uh, different from what I did for the insert.

Or, is this one bad too?

 

[StevenB]

Urk, is there no way to edit your posts after posting?

 

[StevenB]

I was able to get the VoteValue working, whee!

Regarding the Gridview, you had written:

"How do you know which record to display in the GridView? Using that same methodology, you should be able to use that value and use the method I suggested above for getting the selected radio button."

Well, the problem is, I don't know how I'm determining which record to display in the GridView yet. Currently, it's hard-coded to a single value.

So, I guess that's the next piece of the puzzle. I need to figure out, if my query returns 10 different suggestions, how do I get it to display just one of those? (And, subsequently, once I've done that, I can use that to figure out how to populate the suggestionID value when I insert data back into the table.)

Thanks, as always.

 

[ca8msm]

Is this the sort of approach that is better practice and proof against SQL Injection? It's not specifically the same as the stuff in the link you provided, but it's certainly, uh, different from what I did for the insert.

Personally, I don't like the DataSource controls as I find them fairly restrictive especially when they come to debugging. I prefer to write the code myself in a Data Access Layer which means it is easy to maintain and debug. I also use another method for connecting to the database which is using Microsoft's Enterprise Library, however, I don't want to suggest too much at once to you, so to get you started you may be better off just writing code like in the example I linked to.


____________________________________________________________
Mark,
[URL unfurl="true"]http://aspnetlibrary.com[/url]

Need help finding an answer? Try the Search Facility or read FAQ222-2244.

 

[jbenson001]

So, I guess that's the next piece of the puzzle. I need to figure out, if my query returns 10 different suggestions, how do I get it to display just one of those?

You can pull your results into a datatable. Then use the Rand class to generate a random number between 1 and 10. Then use that number to grab the row with that index. If you don't want to repeat the same values, then delete that row from the datatable once it is shown. Then you just generate a randome number between 1 and the #of rows in the datatable.

 

[StevenB]

These are great suggestions.

I'm pleased to report that I've actually got the whole thing working! Now, mind you, it's hideous, and the code is a mess, particularly the data source stuff.

So, I have some cleanup to do to make the data sources more secure and consistent.

The datatable was a great suggestion, jbenson, thanks very much! However, I was actually able to work around it by modifying my SELECT statement so that the query only ever returns one row of data. (It picks the one with the lowest ID if more than 1 row is returned.)

ca8msm, I was able to get the GridView value to post to the database by using the string "GridView1.Rows(0).Cells(0).Text".

I have one more thing I need some help with, but I'll post that separately.

Thanks again guys!

Steve

 

[StevenB]

And, if you're interested in visiting the remaining question:

http://www.tek-tips.com/viewthread.cfm?qid=1396702

 

[jbenson001]

Glad to help