I have a search form on ASP.net web form site. I tried using a UserControl and form did not submit or work. I trired form tags. Any Ideas?
Here is enter code hereform code:
using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI; using System.Web.UI.WebControls;using System.Text; using System.Data; using System.Data.SqlClient; using System.Configuration; using Umbraco.Core;using Umbraco.Core.Persistence.DatabaseAnnotations; using Umbraco.Core.Persistence; public partial class usercontrols_MedicineSearch_medicineSearchform : System.Web.UI.UserControl{
public SqlConnection con;
public string query;
public string constr;
public void connection()
{
constr = ConfigurationManager.ConnectionStrings["umbracoDbDSN"].ToString();
con = new SqlConnection(constr);
con.Open();
}
protected void Page_Load(object sender, EventArgs e)
{
Label1.Visible = false;
Label2.Visible = false;
}
private void Medicine_Bind()
{
TextBox2.Text = DropDownList1.SelectedItem.Value;
TextBox3.Text = DropDownList2.SelectedItem.Value;
connection();
StringBuilder sb = new StringBuilder();
sb.Append("SELECT * FROM CMasthmaMedicines WHERE MedicineUse LIKE '");
sb.Append(TextBox2.Text);
sb.Append("%'");
sb.Append(" AND ");
sb.Append("(DrugName LIKE'");
sb.Append("%'");
sb.Append(" OR ");
sb.Append("Brand LIKE'");
sb.Append(TextBox1.Text);
sb.Append("%')");
sb.Append(" AND ");
sb.Append("TypeMedicine LIKE'");
sb.Append(TextBox3.Text);
sb.Append("%'");
sb.Append("ORDER BY DrugName ASC");
query = sb.ToString();
SqlDataAdapter da = new SqlDataAdapter(query, con);
DataSet ds = new DataSet();
da.Fill(ds);
AsthmaRepeater.DataSource = ds;
AsthmaRepeater.DataBind();
}
protected void Button1_Click(object sender, EventArgs e)
{
Label1.Visible = true;
Label1.Text = "We could not find '" + TextBox1.Text + "' in our records. Please check the spelling of your search term and reset Medicine Use and Type of Medicine to All."; ;
TextBox2.Text = DropDownList1.SelectedItem.Value;
TextBox3.Text = DropDownList2.SelectedItem.Value;
connection();
StringBuilder sb2 = new StringBuilder();
sb2.Append("SELECT DrugName, Brand, MedicineUse, TypeMedicine FROM AsthmaMedicines WHERE MedicineUse LIKE '");
sb2.Append(TextBox2.Text);
sb2.Append("%'");
sb2.Append(" AND ");
sb2.Append("(DrugName LIKE'");
sb2.Append(TextBox1.Text);
sb2.Append("%'");
sb2.Append(" OR ");
sb2.Append("Brand LIKE'");
sb2.Append(TextBox1.Text);
sb2.Append("%')");
sb2.Append(" AND ");
sb2.Append("TypeMedicine LIKE'");
sb2.Append(TextBox3.Text);
sb2.Append("%'");
sb2.Append("ORDER BY DrugName ASC");
string query = sb2.ToString();
SqlCommand com = new SqlCommand(query, con);
SqlDataReader dr;
dr = com.ExecuteReader();
if (dr.HasRows)
{
dr.Read();
Medicine_Bind();
AsthmaRepeater.Visible = true;
TextBox3.Text = "";
TextBox2.Text = "";
TextBox1.Text = "";
Label1.Text = "";
}
else
{
AsthmaRepeater.Visible = false;
}
}
But apart from that I would seriously look at rewriting your code behind for this form as you have a really big security issue here for potential SQL Injection with the way you are building your SQL query (by concatenation).
Thanks I used one of your links to help me render the form. Now all I have to do figure how to take submitted data and search the database in questions. If you have any ideas or thoughts that would be great. I am coming up empty. The old site used webforms and connected to db and pulled the data. Now I am stuck
ASP.net form in Umbraco
I have a search form on ASP.net web form site. I tried using a UserControl and form did not submit or work. I trired form tags. Any Ideas? Here is
enter code here
form code:How do I get this to work?
Here is the back end code:
In Umbraco you should really be using MVC forms. See https://our.umbraco.com/documentation/reference/templating/mvc/forms
But apart from that I would seriously look at rewriting your code behind for this form as you have a really big security issue here for potential SQL Injection with the way you are building your SQL query (by concatenation).
You need to use properly parameterized queries in order to prevent this vector otherwise you run a very serious risk of having your entire database leaked or deleted. See https://stackoverflow.com/questions/35163361/how-can-i-add-user-supplied-input-to-an-sql-statement?answertab=votes#tab-top
Thanks I used one of your links to help me render the form. Now all I have to do figure how to take submitted data and search the database in questions. If you have any ideas or thoughts that would be great. I am coming up empty. The old site used webforms and connected to db and pulled the data. Now I am stuck
I got form working on the site.
is working on a reply...