473,440 Members | 1,790 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > visual basic .net > questions > dilemna on how to code what i need to do

Join Bytes to post your question to a community of 473,440 software developers and data experts.

Dilemna on how to Code what I need to do

Ok, I inherited some code written in vb that is part of a web application.
My overall objective is to be able to take multiple names from a "LastName"
text box and use those names in my SQL query against my database. Currently
the way it is coded, the text box will pass one name only to the next page,
which then gets formed into the SQL query. I will provide some examples of
the code that is used to perform this task...

Ok, when you put in a last name, it is assigned to the sLastname variable
with the following code:
Dim sLastname As String = Trim(Request.Form("txtLastname"))
If Len(sLastname) 0 Then
sURL += "LastName=" & sLastname & "&"
End If
The html behind that form is as follows:
<td>Last Name</td>
<td><textarea style="font-family: Verdana, Arial, Helvetica,
sans-serif; color: #000000;" name="txtLastName" rows=3 cols=17
id="txtLastName"></textarea></td>
</tr>
After everything is evaluated, the corresponing URL is built with the
following code:

sURL = "Students.aspx?" & sURL
Response.Redirect(sURL)

So for an example, if I put in the last Name Washington, the final URL after
you hit the Search button would look like:
sURL "Students.aspx?LastName=Washington" String
The above line is a copy from the visual studio 2003 debugging mode
variable watch for the variable sURL

So now, we would jump over into students.aspx with the ?LastName=Washington
appendix

The first couple of lines in the Students.aspx.vb page are as follows:
Dim iQueryStringStart As Integer = Request.RawUrl.IndexOf("?")
Dim sQueryString As String = ""
If iQueryStringStart 0 Then
sQueryString = Request.RawUrl.Substring(iQueryStringStart)
End If
If Request.Form.Count = 0 Then
Dim sNickName As String =
UCase(Trim(Request.QueryString("NickName")))
Dim sFirstName As String =
UCase(Trim(Request.QueryString("FirstName")))
Dim sLastname As String =
UCase(Trim(Request.QueryString("Lastname")))

then later on down the page

sBody = GetBody(sNickName, _
sFirstName, _
sLastname, _
sMatricDate, _
sSourceCode, _
sDegreeProgram, _
sCitizenship, _
sCity, _
sState, _
sCountry, _
sPhDAreaOfStudy, _
sApplComp, _
sApplResponse, _
sStudentStatus, _
sCondCalculus, _
sOrientationFee, _
sEmbarkApp, _
sSpecialAccept, _
sGAResident, _
sAsstRequested, _
sAsstOffered, _
sLocalCity, _
sLocalState, _
bPosted, _
sQueryString)

Then to jump into the GetBody function...
Function GetBody(ByVal sNickName As String, _
ByVal sFirstName As String, _
ByVal sLastname As String, _
ByVal sMatricDate As String, _
ByVal sSourceCode As String, _
ByVal sDegreeProgram As String, _
ByVal sCitizenship As String, _
ByVal sCity As String, _
ByVal sState As String, _
ByVal sCountry As String, _
ByVal sPhDAreaOfStudy As String, _
ByVal sApplComp As String, _
ByVal sApplResponse As String, _
ByVal sStudentStatus As String, _
ByVal sCondCalculus As String, _
ByVal sOrientationFee As String, _
ByVal sEmbarkApp As String, _
ByVal sSpecialAccept As String, _
ByVal sGAResident As String, _
ByVal sAsstRequested As String, _
ByVal sAsstOffered As String, _
ByVal sLocalCity As String, _
ByVal sLocalState As String, _
ByVal bPosted As Boolean, _
ByVal sQueryString As String)

Dim sRetVal As String = ""

sRetVal += "<table cellpadding=2 cellspacing=0 border=0
width=""100%"">" & vbCr
sRetVal += "<tr>" & vbCr
sRetVal += "<td>" & vbCr
sRetVal += "<form name=frmStudents method=post
action=""Students.aspx" & sQueryString & """>" & vbCr
sRetVal += "<p style=""margin-left:5pt;"">" & vbCr
sRetVal += BTN_BACK & vbCr
sRetVal += "<input type=image name=btnPost alt=""Post""
src=""images/ico_post.gif"">" & vbCr
sRetVal += "<input type=image name=btnDelete alt=""Delete""
src=""images/ico_delete.gif"">" & vbCr
sRetVal += BTN_CANCEL & vbCr
sRetVal += "</p>" & vbCr

Try
Dim cn As OleDbConnection = OpenDatabase(OLEDB_PROVIDER &
gsConnectionString)

Dim sStudentSQLWC As String = GetStudentSQLWC(sNickName, _
sFirstName, _
sLastname, _
sMatricDate, _
sSourceCode, _
sDegreeProgram, _
sCitizenship, _
sCity, _
sState, _
sCountry, _
sPhDAreaOfStudy, _
sApplComp, _
sApplResponse, _
sStudentStatus, _
sCondCalculus, _
sOrientationFee, _
sEmbarkApp, _
sSpecialAccept, _
sGAResident, _
sAsstRequested, _
sAsstOffered, _
sLocalCity, _
sLocalState, _
bPosted)

Dim sSQL As String = ""
sSQL += "SELECT COUNT(*) AS iCnt "
sSQL += "FROM Students "
sSQL += sStudentSQLWC

Dim iCnt As Integer = GetSingleResult(cn, sSQL, "iCnt",
VariantType.Integer)

sSQL = ""
sSQL += "SELECT StudentId, "
sSQL += " Posted, "
sSQL += " LastName, "
sSQL += " FirstName, "
sSQL += " DegreeProgram, "
sSQL += " MatricDate, "
sSQL += " StudentStatus "
sSQL += "FROM Students "
sSQL += sStudentSQLWC
sSQL += "ORDER BY LastName, "
sSQL += " FirstName, "
sSQL += " StudentStatus"

and then to see the GetStudentSQLWC function...

Function GetStudentSQLWC(ByVal sNickName As String, _
ByVal sFirstName As String, _
ByVal sLastname As String, _
ByVal sMatricDate As String, _
ByVal sSourceCode As String, _
ByVal sDegreeProgram As String, _
ByVal sCitizenship As String, _
ByVal sCity As String, _
ByVal sState As String, _
ByVal sCountry As String, _
ByVal sPhDAreaOfStudy As String, _
ByVal sApplComp As String, _
ByVal sApplResponse As String, _
ByVal sStudentStatus As String, _
ByVal sCondCalculus As String, _
ByVal sOrientationFee As String, _
ByVal sEmbarkApp As String, _
ByVal sSpecialAccept As String, _
ByVal sGAResident As String, _
ByVal sAsstRequested As String, _
ByVal sAsstOffered As String, _
ByVal sLocalCity As String, _
ByVal sLocalState As String, _
ByVal bPosted As Boolean) As String

Dim sRetVal As String = ""

sRetVal += SQLWC("NickName", sNickName, VariantType.String)
sRetVal += SQLWC("FirstName", sFirstName, VariantType.String)
sRetVal += SQLWC("Lastname", sLastname, VariantType.String)
sRetVal += SQLWC("MatricDate", sMatricDate, VariantType.String)
sRetVal += SQLWC("SourceCode", sSourceCode, VariantType.String)
sRetVal += SQLWC("DegreeProgram", sDegreeProgram, VariantType.String)
sRetVal += SQLWC("Citizenship", sCitizenship, VariantType.String)
sRetVal += SQLWC("City", sCity, VariantType.String)
sRetVal += SQLWC("State", sState, VariantType.String)
sRetVal += SQLWC("Country", sCountry, VariantType.String)
sRetVal += SQLWC("PhDAreaOfStudy", sPhDAreaOfStudy,
VariantType.String)
sRetVal += SQLWC("ApplComp", sApplComp, VariantType.Integer)
sRetVal += SQLWC("ApplResponse", sApplResponse, VariantType.String)
sRetVal += SQLWC("StudentStatus", sStudentStatus, VariantType.String)
sRetVal += SQLWC("CondCalculus", sCondCalculus, VariantType.Integer)
sRetVal += SQLWC("OrientationFee", sOrientationFee,
VariantType.Integer)
sRetVal += SQLWC("EmbarkApp", sEmbarkApp, VariantType.Integer)
sRetVal += SQLWC("SpecialAccept", sSpecialAccept, VariantType.Integer)
sRetVal += SQLWC("GAResident", sGAResident, VariantType.Integer)
sRetVal += SQLWC("AsstRequested", sAsstRequested, VariantType.Integer)
sRetVal += SQLWC("AsstOffered", sAsstOffered, VariantType.Integer)
sRetVal += SQLWC("LocalCity", sLocalCity, VariantType.String)
sRetVal += SQLWC("LocalState", sLocalState, VariantType.String)
sRetVal += SQLWC("Posted", bPosted, VariantType.Boolean)

If Len(sRetVal) 0 Then
'add the " WHERE " clause and trim the final "AND "
sRetVal = " WHERE " & Left(sRetVal, Len(sRetVal) - 4) & " "
End If

Return sRetVal

And the SQLWC function is as follows:
Shared Function SQLWC(ByVal sField As String, _
ByVal oVal As Object, _
ByVal oType As VariantType) As String

Dim sRet As String = ""

Select Case oType
Case vbString
'Add If statement that will evaluate Oval string for Yes and
No
If Len(oVal) 0 Then
'Add If statement that will evaluate Oval string for Yes
and No and convert to 1 or 0
If oVal = "YES" Then
oType = VariantType.Integer
oVal = 1
sRet = " " & sField & " = " & oVal.ToString.Trim() &
" AND "
ElseIf oVal = "NO" Then
oType = VariantType.Integer
oVal = 0
sRet = " " & sField & " = " & oVal.ToString.Trim() &
" AND "
'Added this elseif to search for different country
fields in alumni search
ElseIf sField = "WorkCountry" Or sField = "LocalCountry"
Or sField = "HomeCountry" Then
sRet = " UPPER(" & sField & ") LIKE " & SQLSTR(oVal
& "%") & " OR "
Else
sRet = " UPPER(" & sField & ") LIKE " & SQLSTR(oVal
& "%") & " AND "
End If

End If
Case vbBoolean
If oVal Then
sRet = " " & sField & " = 1 AND "
End If
Case vbInteger
If IsNumeric(oVal) Then
sRet = " " & sField & " = " & oVal.ToString.Trim() &
" AND "
End If
Case vbDate
If IsDate(oVal) Then
sRet = " " & sField & " = " & SQLSTR(oVal) & " AND "
End If
End Select

Return sRet
So hopefully, that is enough of a peek into the Code. I need to figure out
a way, IF I CAN, to work with this code, so that when you enter multiple
lastnames in the Lastname box, it will pass that information as a NAME, or
NAMe into the SQL query that it will build.

I am thinking I need to change the initial box from a string character to
something else... any ideas?
Feb 14 '07 #1
4 1358
=?Utf-8?B?Ym9va2VyQG1ndA==?= <bo*******@discussions.microsoft.comwrote
in news:D2**********************************@microsof t.com:
I am thinking I need to change the initial box from a string character
to something else... any ideas?
Take a look at Parameterized Queries - your code looks like it's ripe for a
SQL injection attack.

Feb 14 '07 #2
Thanks Spam..
I will work on that a little later, but in the mean time, I have a deadline
to try and fix the current code to handle my qequests.. any ideas....

Maybe some kind of way, turning the text box entry into an array, but not
sure how to set a delineator to separate the different names..

"Spam Catcher" wrote:
=?Utf-8?B?Ym9va2VyQG1ndA==?= <bo*******@discussions.microsoft.comwrote
in news:D2**********************************@microsof t.com:
I am thinking I need to change the initial box from a string character
to something else... any ideas?

Take a look at Parameterized Queries - your code looks like it's ripe for a
SQL injection attack.

Feb 14 '07 #3
=?Utf-8?B?Ym9va2VyQG1ndA==?= <bo*******@discussions.microsoft.comwrote
in news:38**********************************@microsof t.com:
I will work on that a little later, but in the mean time, I have a
deadline
to try and fix the current code to handle my qequests.. any ideas....
You should make it a priority ... because someone could "DELETE FROM
TABLE" pretty easily ;-)

Maybe some kind of way, turning the text box entry into an array, but
not sure how to set a delineator to separate the different names..
You'll need to dynamically prompt for additional textboxes, then pass each
name as an individual URL parameter to the receiving page.

If can modify the code even more, perhaps post an XML document to the
receiving site with all the usernames/password?

Lastly you could use a web service instead which would solve a lot of
problem :-)
Feb 14 '07 #4

What do you mean by the receiving site?

The dynamic idea sounds appealing, however, if the ywant to do multiple
first names as well, i am not sure how scalable that will be, with dynamic
text boxes popping up. Do you have an example of how to code that.

If i did not mention, i am very much a NOVICE at this

And for now, we back up the database daily, so if it gets wiped out UNTIL I
can protect against the SQL injection attacks (Which is an entirely different
can of worms, as I am not even sure where to begin to protect against that),
then at least I have some offsite backup....

Thanks SpamCatcher..

Thanks


"Spam Catcher" wrote:
=?Utf-8?B?Ym9va2VyQG1ndA==?= <bo*******@discussions.microsoft.comwrote
in news:38**********************************@microsof t.com:
I will work on that a little later, but in the mean time, I have a
deadline
to try and fix the current code to handle my qequests.. any ideas....

You should make it a priority ... because someone could "DELETE FROM
TABLE" pretty easily ;-)

Maybe some kind of way, turning the text box entry into an array, but
not sure how to set a delineator to separate the different names..

You'll need to dynamically prompt for additional textboxes, then pass each
name as an individual URL parameter to the receiving page.

If can modify the code even more, perhaps post an XML document to the
receiving site with all the usernames/password?

Lastly you could use a web service instead which would solve a lot of
problem :-)
Feb 15 '07 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

51
OO in PHP
by: Mudge | last post by:
Please, someone, tell me why OO in PHP is better than procedural.
PHP
9
FrontController Design Pattern and Code Reuse
by: bigoxygen | last post by:
Hi. I'm using a 3 tier FrontController Design for my web application right now. The problem is that I'm finding to have to duplicate a lot of code for similar functions; for example, listing...
PHP
53
Some unknown browsers fail to calculate my JavaScript code.
by: Cardman | last post by:
Greetings, I am trying to solve a problem that has been inflicting my self created Order Forms for a long time, where the problem is that as I cannot reproduce this error myself, then it is...
Javascript
8
Running autogenerated code in another python instance
by: Paul Cochrane | last post by:
Hi all, I've got an application that I'm writing that autogenerates python code which I then execute with exec(). I know that this is not the best way to run things, and I'm not 100% sure as to...
Python
7
What is wrong with this code?
by: Vic | last post by:
Dear All, I found this code snippet on this list (taken from a nice webpage of a courteous fellow), which I used to filter a form on a combo box. I wanted to repeat the same code to have an...
Microsoft Access / VBA
3
A dilemna with circular reference of headers file
by: JCB | last post by:
Hi, I have two C file which are referencing in a circular way. To simplify I use an example with car : Suppose I have a program for cars. I have car.c, structure car and functions...
C / C++
9
Radius, distance, latitude, longitude tool or code
by: Sandy | last post by:
Hello - I need either a cheap tool or code & DB that calculates, eg. within 50-mile radius of a zip code. Anyone have any suggestions? -- Sandy
Visual Basic .NET
16
FOR ALL - Best Practices for navigating within code? -plus - Add-In's that help?
by: Rex | last post by:
Hi All - I have a question that I think MIGHT be of interest to a number of us developers. I am somewhat new to VIsual Studio 2005 but not new to VB. I am looking for ideas about quick and...
Visual Basic .NET
0
MS Chart Programming Dilemna
by: OldManChuck | last post by:
I am using MS Chart in VB6, running under Embedded XP (or desktop XP) to display data in 2D-Line format. I am trying to find a way to highlight small portions of the chart to identify 'alarm' areas....
Visual Basic 4 / 5 / 6
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!