Click here to Skip to main content
15,914,409 members
Search within:


How to declare value in <p> </p> ?
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
C#
ASP.NET
I have problem with declaration for PID here at .aspx.cs. How to declare quantity that is in <p> <p> ?.
ASPX
<h5 class="h5size"> Kuantiti Produk </h5>
<p><%#Eval("PQuantity") %></p>
C#
protected void rptrProductDetails_ItemDataBound(object sender, RepeaterItemEventArgs e)
{
if (e.Item.ItemType == ListItemType.Item || e.Item.ItemType == ListItemType.AlternatingItem)
{
string BrandID = (e.Item.FindControl("hfBrandID") as HiddenField).Value;
string CatID = (e.Item.FindControl("hfCatID") as HiddenField).Value;
string SubCatID = (e.Item.FindControl("hfSubCatID") as HiddenField).Value;
string GenderID = (e.Item.FindControl("hfGenderID") as HiddenField).Value;

RadioButtonList rblSize = e.Item.FindControl("rblSize") as RadioButtonList;

using (SqlConnection con = new SqlConnection(CS))
{
using (SqlCommand cmd = new SqlCommand("select * from tblSizes where BrandID='" + BrandID + "' and CategoryID=" + CatID + " and SubCategoryID=" + SubCatID + " and GenderID=" + GenderID + "", con))
{
cmd.CommandType = CommandType.Text;
using (SqlDataAdapter sda = new SqlDataAdapter(cmd))
{
DataTable dt = new DataTable();
sda.Fill(dt);
rblSize.DataSource = dt;
rblSize.DataTextField = "sizename";
rblSize.DataValueField = "sizeid";
rblSize.DataBind();
}
}
}
Int64 PID = Convert.ToInt64(Request.QueryString["PID"]);
using (SqlConnection con = new SqlConnection(CS))
{
using (SqlCommand cmd = new SqlCommand("select * from tblProducts where PID=@PID", con))
{
cmd.CommandType = CommandType.Text;

using (SqlDataAdapter sda = new SqlDataAdapter(cmd))
{
DataTable dt = new DataTable();
sda.Fill(dt);
if (dt.Rows.Count > 0)
{
Int32 myQty = Convert.ToInt32(dt.Rows[0]["PQuantity"].ToString());
System.Web.UI.WebControls.Button btn = (System.Web.UI.WebControls.Button)e.Item.FindControl("btnAddToCart") as System.Web.UI.WebControls.Button;
if (myQty == 0)
{
btn.Enabled = false;
}
else if (myQty > 0)
{
btn.Enabled = true;
}
}
}
}
}
}
}


What I have tried:

Most of the example given in internet is for textbox, label etc. But, my code here is in <p></p>.

The part that I need to declare is PID in this area--
C#
using (SqlCommand cmd = new SqlCommand("select * from tblProducts where PID=@PID", con))
Posted
Updated 23-Jun-21 22:11pm
v2
Add a Solution

1 solution

Don't do it like that!
Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
SQL
DROP TABLE MyTable;
A perfectly valid "delete the table" command
SQL
--'
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
 
Share this answer
 
Posted
Comments
Member 15100384 24-Jun-21 2:11am    
Yes. But my question is on declare the PID value, do you have suggestion?
OriginalGriff 24-Jun-21 3:49am    
Yes.
"Fix the more important error throughout your app first, or you won't have a DB to insert things into."
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
How I correct the declaration values.
How can I retain all previously applied filters back to p table after performing delete operation on prime ng data table.
"Enter parameter value" dialog box keep showing even I declare values on it.
A local variable named 'p' cannot be declared in this scope because it would give a different meaning to 'p', which is already used in a 'parent or current' scope to denote something else
why p and *p are printing same values
Expected declaration but found ‘/’. Skipped to next declaration. What is wrong with this code?
String property declaration error in C#
Proper format of declaring an update statement SQL
Constant value error in array declaration
Why isnt p changing its address after passing argument as pointer?

Advertise
Privacy
Cookies
Terms of Use
Last Updated 24 Jun 2021
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-05-30:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900