Detailsview InsertItem
-
Hello I am trying to use a DetailsView to insert a neew item into a db table. The problem is, I organized all not knowing the table's schema a priori. I use a Gridview to visualize and update the table , and it all works correctly by binding dynamically the gridview to the table in the PageLoad event handler. I don't use any template. When I try to do something similar to insert a new row using a dynamically bound detailsview , I correctly visualize the fields' names in the detailsview, but as I modify the values, and try to manage the insert event , I find into the DetailsViewInsertEventArgs parameter that the Values collection property only has the Keys subcollection correctly populated, but the Values are all empty . I would expect, but maybe I didn't understand well, the Values.Values subcollection to be populated with the values I inserted, just as find the Values.Keys subcollection populated with the fiedls' names. Is it due to the fact that I am bindingg dynamically ? is there a way to work around this limitation ?
-
Hello I am trying to use a DetailsView to insert a neew item into a db table. The problem is, I organized all not knowing the table's schema a priori. I use a Gridview to visualize and update the table , and it all works correctly by binding dynamically the gridview to the table in the PageLoad event handler. I don't use any template. When I try to do something similar to insert a new row using a dynamically bound detailsview , I correctly visualize the fields' names in the detailsview, but as I modify the values, and try to manage the insert event , I find into the DetailsViewInsertEventArgs parameter that the Values collection property only has the Keys subcollection correctly populated, but the Values are all empty . I would expect, but maybe I didn't understand well, the Values.Values subcollection to be populated with the values I inserted, just as find the Values.Keys subcollection populated with the fiedls' names. Is it due to the fact that I am bindingg dynamically ? is there a way to work around this limitation ?
To make things clearer here is my marlup :
<%@ Page Title="" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="Insert.aspx.cs" Inherits="DBManagerWebForm.Insert" %>
<%-- \--%>and this is the codebehind :
protected void DetailsView1_ItemInserting(object sender, DetailsViewInsertEventArgs e)
{
int i;
SqlDbType T;
try
{
string Cmd = "INSERT INTO " + TABLE + " (";
IEnumerator En = e.Values.Keys.GetEnumerator();
En.Reset();
for (i = 0; i < e.Values.Count - 1; i++)
{
En.MoveNext();
Cmd += En.Current.ToString() + ",";
}
En.MoveNext();
Cmd += En.Current.ToString() + ") VALUES (";
string val;En.Reset(); for (i = 0; i < e.Values.Count - 1; i++) { En.MoveNext(); T = Util.GetSqlType(DT.Columns\[i\].DataType); val = e.Values\[En.Current\] == null ? "" : e.Values\[En.Current\].ToString(); if (T == SqlDbType.NVarChar) Cmd += "'" + val + "',"; else Cmd += val + ","; } En.MoveNext(); T = Util.GetSqlType(DT.Columns\[i\].DataType); val = e.Values\[En.Current\] == null ? "" : e.Values\[En.Current\].ToString(); if (T == SqlDbType.NVarChar) Cmd += "'" + val + "')"; else Cmd += val + ")";string ConnStr = WebConfigurationManager.Connect
-
To make things clearer here is my marlup :
<%@ Page Title="" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="Insert.aspx.cs" Inherits="DBManagerWebForm.Insert" %>
<%-- \--%>and this is the codebehind :
protected void DetailsView1_ItemInserting(object sender, DetailsViewInsertEventArgs e)
{
int i;
SqlDbType T;
try
{
string Cmd = "INSERT INTO " + TABLE + " (";
IEnumerator En = e.Values.Keys.GetEnumerator();
En.Reset();
for (i = 0; i < e.Values.Count - 1; i++)
{
En.MoveNext();
Cmd += En.Current.ToString() + ",";
}
En.MoveNext();
Cmd += En.Current.ToString() + ") VALUES (";
string val;En.Reset(); for (i = 0; i < e.Values.Count - 1; i++) { En.MoveNext(); T = Util.GetSqlType(DT.Columns\[i\].DataType); val = e.Values\[En.Current\] == null ? "" : e.Values\[En.Current\].ToString(); if (T == SqlDbType.NVarChar) Cmd += "'" + val + "',"; else Cmd += val + ","; } En.MoveNext(); T = Util.GetSqlType(DT.Columns\[i\].DataType); val = e.Values\[En.Current\] == null ? "" : e.Values\[En.Current\].ToString(); if (T == SqlDbType.NVarChar) Cmd += "'" + val + "')"; else Cmd += val + ")";string ConnStr = WebConfigurationManager.Connect
Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query. Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^] How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^] Query Parameterization Cheat Sheet | OWASP[^] SQL injection attack mechanics | Pluralsight [^]
protected void DetailsView1_ItemInserting(object sender, DetailsViewInsertEventArgs e)
{
string ConnStr = WebConfigurationManager.ConnectionStrings[CONNECTION].ConnectionString;using (SqlConnection connection = new SqlConnection(ConnStr)) using (SqlCommand command = new SqlCommand("", connection)) { string\[\] columns = new string\[e.Values.Count\]; int index = 0; foreach (string key in e.Values.Keys) { command.Parameters.AddWithValue("@" + key, e.Values\[key\]); columns\[index\] = key; index++; } command.CommandText = string.Format("INSERT INTO \[{0}\] ({1}) VALUES (@{2})", TABLE, string.Join(", ", columns), string.Join(", @", columns)); connection.Open(); command.ExecuteNonQuery(); } Server.Transfer("~/modifica.aspx");}
"These people looked deep within my soul and assigned me a number b
