473,399 Members | 3,603 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > using session variable in sql

Join Bytes to post your question to a community of 473,399 software developers and data experts.

Using session variable in sql

30
Hi

Please help with the follwing:
This is my testpassword.aspx file:

Expand|Select|Wrap|Line Numbers
  1. <%@ Page Language="C#" Debug="true" %>
  2. <%@ Import Namespace="System" %>
  3. <%@ Import Namespace="System.Data" %>
  4. <%@ Import Namespace="System.Configuration" %>
  5. <%@ Import Namespace="System.Xml.Linq" %>
  6. <%@ Import Namespace="System.Data.SqlClient"%> 
  7. <%@ Import Namespace="System.Data.OleDb"%> 
  8.  
  9. <html>
  10. <head>
  11. <title>Session Page 2</title>
  12. </head>
  13. <body><p>ASP.NET C# session page 2</p>
  14. <p>first name: <%=Session["FirstName"]%></p>
  15. <p>Password: <%=Session["Password"]%></p>
  16.  
  17. <% 
  18.   Response.Write("Connecting to db");
  19.   OleDbConnection Myconnection= null;
  20.   OleDbDataReader dbReader = null;
  21.   Myconnection = new OleDbConnection(@"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\Documents and Settings\Administrator\My Documents\Visual Studio 2008\WebSites\WebSite1\besa.accdb");
  22.   Myconnection.Open();
  23.   OleDbCommand cmd = Myconnection.CreateCommand();
  24.   cmd.CommandText ="SELECT password FROM user WHERE username='"+Session["FirstName"]+"' ";
  25.   dbReader = cmd.ExecuteReader();         
  26.   while (dbReader.Read())
  27.    {
  28.    Response.Write(dbReader.GetString(1));
  29.    }
  30.   dbReader.Close();
  31.   Myconnection.Close();
  32.   Response.Write(" end of prog");
  33. %>            
  34.  
  35. </body>
  36. </html>
  37.  
  38.  
I am, getting the follwing error:

Expand|Select|Wrap|Line Numbers
  1. Syntax error in FROM clause.
  2. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
  3.  
  4. Exception Details: System.Data.OleDb.OleDbException: Syntax error in FROM clause.
  5.  
  6. Source Error:
  7.  
  8. Line 23:   OleDbCommand cmd = Myconnection.CreateCommand();
  9. Line 24:   cmd.CommandText ="SELECT password FROM user WHERE username='"+Session["FirstName"]+"' ";
  10. Line 25:   dbReader = cmd.ExecuteReader();         
  11. Line 26:   while (dbReader.Read())
  12. Line 27:    {
  13.  
  14.  
  15. Source File: c:\Documents and Settings\Administrator\My Documents\Visual Studio 2008\WebSites\WebSite1\testpassword.aspx    Line: 25
  16.  
  17.  
I am new to ASP and not sure how to use the session var in SQL.

Thank you for any help and advise.
Nov 8 '10 #1
5 4603
Frinavale
9,735 Expert Mod 8TB
You are accessing session correctly and it looks like what you posted should work.

I recommend that you change your approach though.
Instead of concatenating user input into your SQL command (which leaves you open to a SQL injection attack)...consider using the OleDBCommand.Parameters property to supply user input into the SQL command.

-Frinny
Nov 8 '10 #2
Oralloy
988 Expert 512MB
I would suggest that you mask out the logic from your page here, and just display the SQL that you are generating.

Then, go test the SQL in the native interface. I don't see an SQL error, but that doesn't mean that there isn't one.

Also, if you don't get a hit on Session["FirstName"], your SQL may degenerate into SELECT password FROM user WHERE username='' which may be why you're having problems.

Finally, Frinny is exactly right - you should never construct SQL by means of string concatenation.

There are at least four good reasons why:
  1. Users can enter malicious values, which terminate one bit of your SQL, and then append theirs right on the tail end by use of a semicolon. This is a very common threat that you should be aware of.
  1. There are many characters in strings, which must be specially mapped, so that they will work with your database. This list is not the same for all databases. Use of the parameter interface abstracts this problem, effectively removing it.
  1. Time and debug cost. If you have to specially code character string translations, then I can guarantee that you'll make mistakes, drop quotes, and fail to translate special characters. Guaranteed - it's just a mater of when.
  1. Quotes are not your friend. You will forever be massaging string variables to double quotes. This takes time to do correctly every time, and I guarantee that if you don't do the translation, you'll have unexpected, live data with those quote marks in it. Usually at a very inconvienent time.
Nov 8 '10 #3
Tinus
30
Thank you.
Expand|Select|Wrap|Line Numbers
  1. <%@ Page Language="C#" Debug="true" %>
  2. <%@ Import Namespace="System" %>
  3. <%@ Import Namespace="System.Data" %>
  4. <%@ Import Namespace="System.Configuration" %>
  5. <%@ Import Namespace="System.Xml.Linq" %>
  6. <%@ Import Namespace="System.Data.SqlClient"%> 
  7. <%@ Import Namespace="System.Data.OleDb"%> 
  8.  
  9. <html>
  10. <head>
  11. <title>Session Page 2</title>
  12. </head>
  13. <body><p>ASP.NET C# session page 2</p>
  14. <p>first name: <%=Session["FirstName"]%></p>
  15. <p>Password: <%=Session["Password"]%></p>
  16. <% 
  17.   Response.Write(Session["FirstName"]);
  18.   Response.Write("Connecting to db");
  19.   OleDbConnection Myconnection= null;
  20.   OleDbDataReader dbReader = null;
  21.   Myconnection = new OleDbConnection(@"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\Documents and Settings\Administrator\My Documents\Visual Studio 2008\WebSites\WebSite1\besa.accdb");
  22.   Myconnection.Open();
  23.   string FirstName = Session["FirstName"].ToString();
  24.   OleDbCommand cmd = Myconnection.CreateCommand();
  25.   //cmd.CommandText = "SELECT password FROM user WHERE username='" +Session["FirstName"]+ "'";
  26.  // dbReader = cmd.ExecuteReader();         
  27.   /* 
  28.    while (dbReader.Read())
  29.    {Response.Write(dbReader.GetString(1));}
  30.     dbReader.Close(); 
  31.   */
  32.   Myconnection.Close();
  33.   Response.Write("end of prog");
  34. %>            
  35.  
  36. </body>
  37. </html>
  38.  
This gives
Expand|Select|Wrap|Line Numbers
  1. ASP.NET C# session page 2
  2.  
  3. first name: user123
  4.  
  5. Password: pass123
  6. user123Connecting to dbend of prog 
  7.  
So the Session["FirstName"] does return a result.

I will have a look at the OleDBCommand.Parameters property.
Nov 9 '10 #4
Oralloy
988 Expert 512MB
Well, so much for hopeing that it was something easy.

I'm as much at a loss at the moment as you are. Hopefully your research will yield good fruit.
Nov 9 '10 #5
Tinus
30
Hi

I have found the sollution.
User and password are reserved words in ms access so .
Expand|Select|Wrap|Line Numbers
  1. string Firstname=Session["FirstName"].ToString();
  2.   OleDbCommand cmd=Myconnection.CreateCommand();
  3.   cmd.CommandText="select [user].[password] from [user] where [user].[username]='"+Firstname+"'";
  4.  
Nov 22 '10 #6

Sign in to post your reply or Sign up for a free account.

Similar topics

15
class -session variable
by: | last post by:
Hi, I want to do things this way: I have a bunch of stuff that I want to keep track of while a user is connected to the site. Maybe 50 little peices of information. So I know I can make 50...
ASP / Active Server Pages
11
Session Variable gets truncated and drives me crazy
by: doltharz | last post by:
Please Help me i'm doing something i though was to be REALLY EASY but it drives me crazy The complete code is at the end of the email (i mean newsgroup article), i always use Option...
ASP / Active Server Pages
5
Simple Postback using Session Variable
by: Scott | last post by:
I'm trying to set a session variable after displaying a form, then capture the Session variable on postback. For some reason, the below code always returns the form, not the "Step 2" results part....
ASP / Active Server Pages
4
Shared Variable Vs. Session Variable
by: John Kraft | last post by:
Hi all, My question is more of a phylisophical one here, but I am wondering what the difference is (effectively and performance wise) between using a shared variable/static variable and using a...
ASP.NET
9
Trouble with using Session state
by: Greg Linwood | last post by:
I'm having difficulty understanding Session state in ASP.Net. It's almost embarrassing asking this as I've been using ASP since it was first released & it really shouldn't be this hard to use -...
ASP.NET
2
Session Variable Madness
by: Todd | last post by:
Here's one that has been stumping people: I'm writing in ASPX with VB.NET On the login page I set the entered usename text to a session variable....
ASP.NET
4
Using Session variable in ASP.NET page
by: Stimp | last post by:
When a user logs into my site, I create a cookie with their UserID, but I wish to also create a Session variable to track their "UserType". I do this as follows: Session("UserType") = "admin"...
ASP.NET
4
Transferring Object from Session Variable to New Class Object???
by: Don Miller | last post by:
I am using a Session variable to hold a class object between ASP.NET pages (in VB). In my constructor I check to see if the Session variable exists, and if it doesn't, I create one and populate it...
ASP.NET
17
Session Variable naming conventions.
by: Control Freq | last post by:
Hi, Not sure if this is the right NG for this, but, is there a convention for the variable names of a Session variable? I am using .NET 2.0 in C#. I am new to all this .NET stuff, So, any...
ASP.NET
5
use SESSION variable?
by: Twayne | last post by:
Hi, If ever a newbie wants to know how much he has to learn yet, he only has to look here<g>!! ANYway: PHP 5.2.5; XP Pro SP2+, local Apache Server My actual question is: How do I get a...
PHP
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
0
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!