0

Right, so I'm pulling information out of a database, by Scheme Code, and displaying it on a webform, where it can be modified or new records can be created. to get the image out I created a Generic handler as a sort of virtual address.

I'm having some trouble passing the dropdownlist.selectedItem.Text(Which is where you select the Scheme code for the record you want) value into a parameter in the generic handler. I can pass a string directly in and then just choose that particular Scheme code and it all works.

This is the SQL command code

        public static TemplateData ReturnData(string schemeCode)
    {
        string sqlInstructionCstmID = "SELECT TOP(1) LetterTemplateCustomisationId, TemplateId, Logo, SchemeCode, Version, Comment FROM LetterTemplateCustomisation WHERE SchemeCode ='" + schemeCode + "'";

        string connectionString = System.Configuration.ConfigurationManager.ConnectionStrings["LettersDatabase"].ConnectionString;
        SqlConnection connect = new SqlConnection(connectionString);

        SqlCommand command = new SqlCommand(sqlInstructionCstmID, connect);

        command.CommandType = CommandType.Text;

        connect.Open();

        SqlDataReader dr = command.ExecuteReader();

        TemplateData tempData = null;
        if (dr.HasRows)
        {
            dr.Read();
            tempData = new TemplateData(dr);
        }

        dr.Close();
        connect.Close();

        return tempData;
    }

The generic handler... with the empty parameters

    public class ImageHandler : IHttpHandler
{       
    public void ProcessRequest(HttpContext context)
    {
        TemplateData imgData = DataClass.ReturnData();


        if (imgData != null)
        {
            context.Response.ContentType = "image/jpeg";
            context.Response.BinaryWrite(imgData.Logo);
            context.Response.OutputStream.Write(imgData.Logo, 0, imgData.Logo.Length);

            context.Response.Flush();
        }
    }

and this is the code behind

        protected void btnSearch_Click(object sender, EventArgs e)
    {
        if (ddSchemeCode.SelectedIndex > 0)
        {
            // Existing Data to load from database
            TemplateData temp = DataClass.ReturnData(ddSchemeCode.SelectedItem.Text);
            if (temp != null)
            {

                txtVersion.Text = temp.Version;
                txtComment.Text = temp.Comment;
                txtSchemeCode.Text = temp.SchemeCode;
                txtTemplateId.Text = temp.TemplateId;
                imgLogo.ImageUrl = "ImageHandler.ashx"
            }
        }

so it's the empty parameter in TemplateData imgData = DataClass.ReturnData(); That I am having difficulties with.

As per usual, many thanks in advance folks!

Bigtingz92
  • 129
  • 1
  • 15

1 Answers1

0

DataClass.ReturnData(); is not going to work since it doesn't provide a value for the required schemeCode parameter.

You should either create another method without that parameter, or supply a default value, like null, which will leave out the filter in the SQL statement.

For example:

public static TemplateData ReturnData(string schemeCode = null)
{
    string sqlInstructionCstmID = "SELECT TOP(1) LetterTemplateCustomisationId, TemplateId, Logo, SchemeCode, Version, Comment FROM LetterTemplateCustomisation;

    if (!string.IsNullOrEmpty(schemeCode))
    {
        sqlInstructionCstmID += " WHERE SchemeCode ='" + schemeCode + "'";
    }

Note you should really make sure to use parameterized queries, for a lot of reasons!

Another option, if applicable, it so pass in the value through the HttpHandler. One way to do that is to use an URL parameter.

string schemeCode = Request.Querystring["schemeCode"];

Then pass it like this:

http://someurl/handler.ashx?schemeCode=123

If you don't use parameterized queries right now, the above is a SQL vulnerability.

Patrick Hofman
  • 153,850
  • 22
  • 249
  • 325
  • Ok, parameterized queries, I'll look them up, cheers. I'm trying to put `ddSchemeCode.SelectedItem.Text` into those parameters, or `temp.SchemeCode` or something, but I don't know how to pass it through. – Bigtingz92 May 27 '15 at 12:31
  • If you want to pass in into the handler, you should pass it in through the URL. – Patrick Hofman May 27 '15 at 12:48
  • ok, cool. So would it be something like: `imgLogo.ImageUrl = ("ImageHandler.ashx?schemeCode={0}", ddSchemeCode.SelectedItem.Text);` – Bigtingz92 May 27 '15 at 12:52
  • Well, I don't think that will work. If you want it real time, you should do that using javascript. If you can solve it server-side, that would fix it indeed. – Patrick Hofman May 27 '15 at 12:53
  • Ok, well I've been tinkering with it since you updated and still no joy. Thanks anyway though, Patrick. – Bigtingz92 May 27 '15 at 13:22
  • Why no joy? Please explain. – Patrick Hofman May 27 '15 at 13:34