[英]Visual C# displaying a gridview using querystring as a parameter
I have been working on a project to let users choose items for comparison. 我一直在进行一个项目,以允许用户选择要比较的项目。 My approach is to send a query string from the users' choices (using checkboxes) to a new page, compare.aspx. 我的方法是将查询字符串从用户的选择(使用复选框)发送到新页面compare.aspx。 I am using a gridview for this compare.aspx and here is the code: 我正在为这个compare.aspx使用gridview,这是代码:
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="compare.aspx.cs" Inherits="AsiaWebShop.compare" %>
Untitled Page 无标题页面
<asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="False"
DataKeyNames="item_id" DataSourceID="SqlDataSource1">
<Columns>
<asp:BoundField DataField="item_id" HeaderText="item_id" InsertVisible="False"
ReadOnly="True" SortExpression="item_id" />
<asp:BoundField DataField="item_name" HeaderText="item_name"
SortExpression="item_name" />
<asp:BoundField DataField="category" HeaderText="category"
SortExpression="category" />
<asp:BoundField DataField="pic_path" HeaderText="pic_path"
SortExpression="pic_path" />
<asp:BoundField DataField="item_description" HeaderText="item_description"
SortExpression="item_description" />
<asp:BoundField DataField="regular_price" HeaderText="regular_price"
SortExpression="regular_price" />
<asp:BoundField DataField="member_price" HeaderText="member_price"
SortExpression="member_price" />
<asp:BoundField DataField="promo_price" HeaderText="promo_price"
SortExpression="promo_price" />
<asp:BoundField DataField="stock" HeaderText="stock" SortExpression="stock" />
<asp:BoundField DataField="upc" HeaderText="upc" SortExpression="upc" />
</Columns>
</asp:GridView>
<asp:SqlDataSource ID="SqlDataSource1" runat="server"
ConnectionString="<%$ ConnectionStrings:awsdbConnectionString %>"
ProviderName="<%$ ConnectionStrings:awsdbConnectionString.ProviderName %>"
SelectCommand="SELECT * FROM [item] WHERE ([upc] = ?)">
<SelectParameters>
<asp:QueryStringParameter Name="upc" QueryStringField="query" Type="String" />
</SelectParameters>
</asp:SqlDataSource>
</div>
</form>
The code behind is here: 后面的代码在这里:
namespace AsiaWebShop
{
public partial class compare : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
SqlDataSource1.SelectCommand = "SELECT * FROM [item] WHERE [upc] = " +Request.QueryString["query"];
}
}
}
However I got a "Data Type mismatch in criteria expression" error, does anybody knows why? 但是我收到“条件表达式中的数据类型不匹配”错误,有人知道为什么吗? Sorry I am just a complete newbie to asp.net and C# so please go easy on me... 抱歉,我只是asp.net和C#的完全新手,所以请对我轻松一点...
It is a security risk to compose a SQL string using a input form the HTTP query string. 使用HTTP查询字符串的输入来组成SQL字符串存在安全风险。 This opens you up to SQL injection attacks . 这使您可以进行SQL注入攻击 。
It looks like your code will work fine without any code-behind. 看起来您的代码可以正常工作,而无需任何代码隐藏。 You have already added a parameter to your data source that will capture the value you want from the query string. 您已经在数据源中添加了一个参数,该参数将从查询字符串中捕获所需的值。 Using a parameter for this purpose keeps you safe from SQL injection. 为此,使用参数可以防止SQL注入。 You may want to add a default value to the parameter in the SQLDataSource declaration. 您可能需要在SQLDataSource声明中的参数中添加默认值。
I would definitely remove all of your code behind and see if that solves your problem. 我一定会删除您所有的代码,看看是否能解决您的问题。
(Edit): To answer your original question: the reason you are getting the "Data type mismatch in criteria expression" error is because the column upc
in your database is a string type (probably a varchar
). (编辑):回答您的原始问题:之所以收到“条件表达式中的数据类型不匹配”错误,是因为数据库中的列upc
是字符串类型(可能是varchar
)。 If you were going to create a hard coded SQL string with a comparison to the upc column, you would put single quotes around the value you are using for comparison (think of SQL query syntax). 如果要创建一个与upc列进行比较的硬编码SQL字符串,则可以在用于比较的值周围加上单引号(请考虑使用SQL查询语法)。 Since you have not included the quotes, the SQL interpreter doesn't recongnize the value as a string. 由于您没有包括引号,因此SQL解释器不会将值重新识别为字符串。
I must emphasize that I am NOT recommending that you use hard coded values in your SQL. 我必须强调,我不建议您在SQL中使用硬编码值。 Please be mindful of the security risk of SQL injection. 请注意SQL注入的安全风险。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.