Visual C＃使用querystring作为参数显示gridview

Question

I have been working on a project to let users choose items for comparison. My approach is to send a query string from the users' choices (using checkboxes) to a new page, compare.aspx. I am using a gridview for this compare.aspx and here is the code:

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="compare.aspx.cs" Inherits="AsiaWebShop.compare" %>

Untitled Page

    <asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="False" 
        DataKeyNames="item_id" DataSourceID="SqlDataSource1">
        <Columns>
            <asp:BoundField DataField="item_id" HeaderText="item_id" InsertVisible="False" 
                ReadOnly="True" SortExpression="item_id" />
            <asp:BoundField DataField="item_name" HeaderText="item_name" 
                SortExpression="item_name" />
            <asp:BoundField DataField="category" HeaderText="category" 
                SortExpression="category" />
            <asp:BoundField DataField="pic_path" HeaderText="pic_path" 
                SortExpression="pic_path" />
            <asp:BoundField DataField="item_description" HeaderText="item_description" 
                SortExpression="item_description" />
            <asp:BoundField DataField="regular_price" HeaderText="regular_price" 
                SortExpression="regular_price" />
            <asp:BoundField DataField="member_price" HeaderText="member_price" 
                SortExpression="member_price" />
            <asp:BoundField DataField="promo_price" HeaderText="promo_price" 
                SortExpression="promo_price" />
            <asp:BoundField DataField="stock" HeaderText="stock" SortExpression="stock" />
            <asp:BoundField DataField="upc" HeaderText="upc" SortExpression="upc" />
        </Columns>
    </asp:GridView>
    <asp:SqlDataSource ID="SqlDataSource1" runat="server" 
        ConnectionString="<%$ ConnectionStrings:awsdbConnectionString %>" 
        ProviderName="<%$ ConnectionStrings:awsdbConnectionString.ProviderName %>" 
        SelectCommand="SELECT * FROM [item] WHERE ([upc] = ?)">
        <SelectParameters>
            <asp:QueryStringParameter Name="upc" QueryStringField="query" Type="String" />
        </SelectParameters>
    </asp:SqlDataSource>

</div>
</form>

The code behind is here:

namespace AsiaWebShop
{
    public partial class compare : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
        SqlDataSource1.SelectCommand = "SELECT * FROM [item] WHERE [upc] = " +Request.QueryString["query"];
        }
    }
}

However I got a "Data Type mismatch in criteria expression" error, does anybody knows why? Sorry I am just a complete newbie to asp.net and C# so please go easy on me...

Answer 1

It is a security risk to compose a SQL string using a input form the HTTP query string. This opens you up to SQL injection attacks .

It looks like your code will work fine without any code-behind. You have already added a parameter to your data source that will capture the value you want from the query string. Using a parameter for this purpose keeps you safe from SQL injection. You may want to add a default value to the parameter in the SQLDataSource declaration.

I would definitely remove all of your code behind and see if that solves your problem.

(Edit): To answer your original question: the reason you are getting the "Data type mismatch in criteria expression" error is because the column upc in your database is a string type (probably a varchar ). If you were going to create a hard coded SQL string with a comparison to the upc column, you would put single quotes around the value you are using for comparison (think of SQL query syntax). Since you have not included the quotes, the SQL interpreter doesn't recongnize the value as a string.

I must emphasize that I am NOT recommending that you use hard coded values in your SQL. Please be mindful of the security risk of SQL injection.