How to convert ASP classic to .NET public actionresult string

Question

0.00/5 (No votes)

See more:

Function getRefundPayId(refundId,parentId)

	If refundId <> "" Then 
	sql = "select PayID from (select PayID,RID from epayment with (nolock) where ParentPayid = " & sqlS(parentId) & " ) As rid Where Rid  = " & sqlS(refundId) 
		set rs = my_conn.execute(sql) 
		if not rs.eof then
			RefundPayid = rs("payid") 
			 
		end if
		set rs=nothing
	End If 
getRefundPayId = RefundPayid 
End Function

//Appreciate someone can convert this to string. Thank you.

What I have tried:

public ActionResult (string refundId, string parentId)
{
sql =

select PayID from (select PayID,RID from epayment with (nolock) where ParentPayid = " & sqlS(parentId) & " ) As rid Where Rid  = " & sqlS(refundId) 
		set rs = my_conn.execute(sql);

{@refundId, refundId},
{@parentId, parentID}

}

Posted 30-May-20 19:02pm

Member 14794855

Updated 31-May-20 3:18am

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

MadMyche · Answer 1 · 2020-05-31T03:20:00

Your request has a few issues:
1. The Classic ASP you provided is a function that is being called by a page.
2. The Classis ASP you provided is calling another custom function: sqlS

So I can only work with what I know, and will be done based on:
1. The .NET equivelant will also be a function, that can be called by the ActionResult method.
2. To protect from SQL Injection the method will use Parameters.
3. sqlS is assumed to be some sort of SQL Sanitatizion
4. The subquery really is not needed.
5. PayID, Rid, and refundID most likely are defined as INT within SQL
6. No need for a "recordset" when only 1 value is being returned.

This will give us something like this

C#

public int getRefundPayId(int refundId, int parentID) {
   int RefundPayid = -1;

   if (refundId != null) {
      string query = "SELECT PayID FROM epayment with (nolock) WHERE ParentPayid = @ParentPayid AND Rid = @Rid";
      using (SqlCommand cmd = new SqlCommand(query, my_conn)) {
         cmd.Parameters.AddWithValue("@ParentPayid", parentId);
         cmd.Parameters.AddWithValue("@Rid", refundId);

         RefundPayid = (int)cmd.ExecuteScalar();
      }
   }
   return RefundPayid;
}

#realJSOP · Answer 2 · 2020-05-31T02:42:00

Solution 1

0) NEVER use string concatenation in SQL queries. You're setting yourself up for SQL injection attacks.

1) You should do all of your SQL worek from a DAL and BLL stack. This separates the backend from the UI.

2) You didn't mention what SQL you're using. Is it MS SQL, MySql, SomeOtherSQL? Because of this, I don't know how to really answer your question.

Posted 31-May-20 2:42am

#realJSOP

Comments

Member 14794855 31-May-20 11:20am

Hi there,
Thanks for the advise regarding SQL queries. I using MySQL.