none
Problem in showing data in gridview????????? RRS feed

  • Question

  • Hi,

        i just want a grid as shown below

     

    Name

    Operator

    Value

    Result

    <field1>

    =

    <Value1>

     

    <field2>

    <Value2>

     

    <field3>

    <Value3>

     

     

    It contains 4 columns out of  which 1st and 2nd column is a field column where 3rd column is operator column 

     

    i want to build a query from the grid as follows

     

    select * from info where  <column1> <column2> <column3>

    e.g  select * from info where name = 10

     

    and the resultant records in column 4

     

     

    Thanx in advance

    Saturday, September 1, 2007 1:08 PM

All replies

  • In this case, you cannot use ADO or ADO.NET parameters to reconfigure the SQL query so you'll have to build it using concatenated operators just as you would concatenate any string. As in

     

    strSQL = String.Format("SELECT * FROM info WHERE {0} {1} {2}", strNameCol, strOperCol, strValCol)

     

    All that remains is to execute the query.

     

    hth 

     

    Saturday, September 1, 2007 6:18 PM
    Moderator
  •  William Vaughn wrote:

    All that remains is to execute the query.

     

    And to hope that this UI is never accessed by a malicious user who enters something like ";GO;DROP TABLE INFO;GO" into one of the value fields.

     

    To build this safely, you'd want to completely clean the input.  Which is a lot of work if you parse all the values looking for injection attacks yourself..  You can still use a parameter query, though, with a little work:

     

    Code Snippet

    string operator;

    switch (operatorEntered)

    {

       case "=" : { operator = "="; break }

       case ">=" : { operator = ">="; break }

       case "<=" : { operator = "<="; break }

       // etc.

       default : { throw new InvalidOperationException("Invalid operator entered."); }

    }

    string sql = String.Format("SELECT * FROM Info WHERE @value1 {0} @value2", operator);

     

     

    ...and then set the parameters of the query to the values entered.  This approach makes your query invulnerable to malicious input.

    Sunday, September 2, 2007 8:37 AM
  •  

    Hi William,

                    thanx 4 the reply but my problem is something different. I have problem in coding the DataGridView with the given structure.

    Programming the grid is a problem to me??????

     

     

    thanx in advance

     

    Monday, September 3, 2007 7:16 AM
  • Of course. Any strategy that imbeds SQL into a string has issues. I heartily recommend Parameters to handle this problem.

     

    AFA accessing the DataGridView in Visual Studio languages, it's easiest to build and alter an array or DataTable that has what's to be displayed and changed.

    Monday, September 3, 2007 10:26 PM
    Moderator