Category Archives: ASP.NET

Topics include ASP.NET 1.x+ Web Forms and possibly even some old-school ASP 3.0 — for which I know this category is, therefore, misnamed, but cut me a break.

The Basics Of Avoiding MySQL Injection Attacks In ASP.NET Web Forms

Received in my email today:

Hi

say your blog and thought you might help.

strsql = “SELECT StaffID, DesignationID, StaffName, Password, ShopID from staffT where StaffName =” & UserName.Text & ” AND Password =” & Password.Text & “”

from the string, the username.text and password.text are form controls. what is happening is there are passing null values regardless of what you input in the text boxes resulting in a system error.

“System Error Object reference not set to an instance of an object”

Am using Mysql as the database.

I’m always glad to answer such questions, especially when the questioner is flirting with disaster, as much as this questioner is.

A trained eye can immediately spot the problem with the SQL statement above, aside from the problem of NULL values tossing errors. Namely, it’s wide-open to SQL injection. (And an even keener eye will note that the values for user name and password aren’t delimited with single-quotes.)

So here’s my reply email to the questioner:
Continue reading

Getting All ZIP Codes In A Given Radius From A Known Point / ZIP Code Via ASP.NET

Some time ago I wrote a PHP-MySQL based solution to getting all ZIP Codes in a given radius from a known point / ZIP Code. I’ve long intended to do an ASP.NET version of that post, and here it is.

I won’t bother revisiting the mechanics in detail. I do urge you to read the post on the PHP version of this solution, at least to familiarize yourself with the mechanics of what I am doing and the compromises I’ve taken in coming up with this solution.

I will note the following for the “get to the point” types:

  • The first thing we need is to procure a geocoded database table of ZIP Codes. There are several out there; the one I am using is the ZIP Code Database project, available at Sourceforge. You’ll need to figure out how to get their CSV file into your SQL Server database; BULK INSERT is an option, or you can script it.
  • The basic method I am going to use is to create a square. Specifically, I am going to:
    • ask the end user for a starting ZIP Code, and a radius from that point from which he would like other ZIP Codes to come;
    • create a square by selecting points North, South, East and West at the given distance from the starting point; then
    • query the database for all points that fall within that square (or, in other words, all points with latitudes less than North, greater than South, less than East and greater than West).
  • I’m going to put my results in a GridView. However, you could easily just use a DataReader or DataTable to get the relevant records and do with them as you like.
  • The formulas I am using to compute longitude and latitude coordinates come from moveabletype.co.uk.

Continue reading

Displaying Selected YouTube Data API Thumbnails On A Web Page Via ASP.NET Web Forms

Previously, I blogged about “Displaying Selected YouTube Video Thumbnails On An ASP.NET Web Forms Page,” when you know the video IDs of the thumbnails you want to hyperlink.

A reader recently asked me how to hyperlink YouTube video thumbnails based on searching for a keyword. I promised to address that, so here goes.

Interestingly enough, searching the YouTube Data API is accomplished in a REST-like manner quite similar to the methodology I used for shortening URLs in ASP.NET via the bit.ly API.

  • Form a simple request URL to the YouTube Data API that contains the appropriate search parameters;
  • Use a WebRequest to send that URL to Google, which returns an XML document with results;
  • Use WebResponse to dump that stream into an XmlDocument;
  • Use XPath and XmlNode‘s SelectNodes method to recursively get the thumbnails from each entry; and
  • Bind up a pile of Hyperlink controls, which are added dynamically to a Panel control.

Sounds more complicated than it actually is. Let’s do it.
Continue reading

Displaying Selected YouTube Video Thumbnails On An ASP.NET Web Forms Page

I received a kind email recently from a reader, thanking me for my article titled “Retaining Values In A Form Following PHP Postback And Clearing Form Values After Successful PHP Form Processing“.

He also asked how he could use the YouTube Data API to search for videos by keyword; display thumbnails of those videos on an ASP.NET page; then either hyperlink to those videos on YouTube, or display them on his page via the YouTube Player API.

I’ll address that specific question in an upcoming post. First, I want to show how to do what the questioner asks if you already know the video IDs of specific YouTube videos you want to show on a page.

If you know the video ID(s) for the YouTube videos you want to display on a page, you can call them directly from YouTube’s image servers, thanks to a predictable URL and naming scheme, and hotlinking.
Continue reading

Parent-Child DropDownList Controls In ASP.NET Web Forms (VB.NET)

Some time ago I promised a formspring anon I would do a tutorial on parent / child DropDownList controls in ASP.NET Web Forms. At long last, I’m delivering. (From here on out, I will use “DropDownList” and “select list” interchangeably.)

Parent-child DropDownList controls means you have a parent, or main / master select list. Based on whatever selection is made in that first DropDownList, a second, “child” or “detail” select list is populated with relevant results.For example, if we had a database of cars, we might have a parent (master) DropDownList of manufacturers — Ford, Chevy, Toyota, etc. — and populate the child DropDownList with models from the selected manufacturer. So, if someone chose Ford in the parent select list, the child select list would automatically populate with choices such as Fusion, Mustang, Explorer, F-150, etc.

I’ll be demonstrating two different ways to accomplish this task, as well as a few variations on the first: First, binding with only SqlDataSource controls, which is by far the easiest way to proceed and will suffice for about 90 percent of applications; second, using code behind and CompareValidator controls, to cover all possible roadblocks.

Some notes before we proceed:

  • I’ll use the ZIP Code database I’ve been using for a while as the back-end data. I also have a separate table of USPS state codes I’m using as the parent data, to help illustrate that you can use several tables / data sources to fuel this solution, provided the keys that relate the data make sense to each data store. In other words, you can use a lot of different sources for your data, so long as the data is relational.
  • I’m going to use SQL Server, stored procedures and a connection string stored in my web.config file to access my data. I recognize that some people prefer to use SQL statements / LINQ and the like, or can only use Access / MySQL or other data stores. I really urge you to always use stored procedures, as they are way safer than inline SQL statements. As far as alternative data stores go, that should be a easy a fix as switching your code to use to the relevant ADO.NET ODBC classes, rather than the SQL Client classes.
  • This solution should work for ASP.NET versions 2.0 forward.

Continue reading