asp.net c# string and session

     Session["UserId"] = PortalGlobals.UserId ;
        //string UserId = PortalGlobals.UserId;

For some reasons, if I tried to use //string UserId = PortalGlobals.UserId;
and the following sql. It will fail me....

Any experts have idea how to fix it?


   SqlDataSource1.SelectCommand = "SELECT CrmSchedule.*, CrmSchedule.MeetingCity + ', ' + CrmSchedule.MeetingState as MeetingCityAndState, CrmLeadSource.Description AS DescLeadSource, "
        + " CrmMeetingType.Description AS DescMeetingType, CrmScheduleStatus.Description AS DescScheduleStatus, "
        + " Customers.Name As CustName, Customers.MC_Number FROM CrmSchedule INNER JOIN"
        + " CrmLeadSource ON CrmSchedule.LeadSourceId = CrmLeadSource.LeadSourceId INNER JOIN"
        + " CrmMeetingType ON CrmSchedule.MeetingTypeId = CrmMeetingType.MeetingTypeId INNER JOIN"
        + " CrmScheduleStatus ON CrmSchedule.ScheduleStatusId = CrmScheduleStatus.ScheduleStatusId INNER JOIN"
        + " Customers ON CrmSchedule.CustomerId = Customers.ID Where CrmSchedule.UserId='" + UserId.ToString() + "'"
        + " Order By CrmSchedule.BeginDate Desc";      
   
protected void Page_Load(object sender, EventArgs e)
    {
        Session["UserId"] = PortalGlobals.UserId ;
        //string UserId = PortalGlobals.UserId;

        SqlDataSource1.SelectCommand = "SELECT CrmSchedule.*, CrmSchedule.MeetingCity + ', ' + CrmSchedule.MeetingState as MeetingCityAndState, CrmLeadSource.Description AS DescLeadSource, "
        + " CrmMeetingType.Description AS DescMeetingType, CrmScheduleStatus.Description AS DescScheduleStatus, "
        + " Customers.Name As CustName, Customers.MC_Number FROM CrmSchedule INNER JOIN"
        + " CrmLeadSource ON CrmSchedule.LeadSourceId = CrmLeadSource.LeadSourceId INNER JOIN"
        + " CrmMeetingType ON CrmSchedule.MeetingTypeId = CrmMeetingType.MeetingTypeId INNER JOIN"
        + " CrmScheduleStatus ON CrmSchedule.ScheduleStatusId = CrmScheduleStatus.ScheduleStatusId INNER JOIN"
        + " Customers ON CrmSchedule.CustomerId = Customers.ID Where CrmSchedule.UserId='" + Session["UserId"] + "'"
        + " Order By CrmSchedule.BeginDate Desc";       
    }

Open in new window

Webboy2008Asked:
Who is Participating?
 
Todd GerbertIT ConsultantCommented:
Sorry I, I meant assigning to the SQL string to a string variable named "commandText" first, and then writing SqlDataSource1.SelectCommand = String.Format(commandText, PortalGlobals.UserId).  So you're Page_Load would look like:

protected void Page_Load(object sender, EventArgs e)
{
    // Putting the @ symbol in front of the string lets you write it over
    // several lines without needing to + together a bunch of different strings
    // (it also disables escape sequences like \r\n)
    string commandText = @"SELECT CrmSchedule.*, CrmSchedule.MeetingCity, CrmSchedule.MeetingState as MeetingCityAndState, CrmLeadSource.Description AS DescLeadSource,
CrmMeetingType.Description AS DescMeetingType, CrmScheduleStatus.Description AS DescScheduleStatus,
Customers.Name As CustName, Customers.MC_Number FROM CrmSchedule INNER JOIN
CrmLeadSource ON CrmSchedule.LeadSourceId = CrmLeadSource.LeadSourceId INNER JOIN
CrmMeetingType ON CrmSchedule.MeetingTypeId = CrmMeetingType.MeetingTypeId INNER JOIN
CrmScheduleStatus ON CrmSchedule.ScheduleStatusId = CrmScheduleStatus.ScheduleStatusId INNER JOIN
Customers ON CrmSchedule.CustomerId = Customers.ID Where CrmSchedule.UserId='{0}'
Order By CrmSchedule.BeginDate Desc";

    // The String.Format method will replace the {0} in commandText with the value
    // of PortalGlobals.UserId
    SqlDataSource1.SelectCommand = String.Format(commandText, PortalGlobals.UserId);
}

Open in new window


By the way, you need to be careful that PortalGlobals.UserId doesn't contain any special SQL characters, like the single quote (') in particular.  If this value comes from the user it's possible someone could take advantage of it and inject their own SQL statement - one reason why using SqlParameters is a good idea.
0
 
Todd GerbertIT ConsultantCommented:
Do you mean if you uncomment that line and and change line 12 to + " Customers ON CrmSchedule.CustomerId = Customers.ID Where CrmSchedule.UserId='" + UserId + "'"?

How does it fail? What happens, or what exception do you get?
0
 
Todd GerbertIT ConsultantCommented:
Also, I think that's not quite a well-formed SQL command, line 6 is going to result in:

SELECT CrmSchedule.*, CrmSchedule.MeetingCity + ', ' + CrmSchedule.MeetingState as MeetingCityAndState, CrmLeadSource.Description AS DescLeadSource

Being sent to the SQL server, and those plus signs, quotes and comma aren't gonna make it happy - looks like you might have had some other variable in there, I would recommend writing your SQL statement as:

string commandText = @"SELECT CrmSchedule.*, CrmSchedule.MeetingCity, CrmSchedule.MeetingState as MeetingCityAndState, CrmLeadSource.Description AS DescLeadSource,
CrmMeetingType.Description AS DescMeetingType, CrmScheduleStatus.Description AS DescScheduleStatus,
Customers.Name As CustName, Customers.MC_Number FROM CrmSchedule INNER JOIN
CrmLeadSource ON CrmSchedule.LeadSourceId = CrmLeadSource.LeadSourceId INNER JOIN
CrmMeetingType ON CrmSchedule.MeetingTypeId = CrmMeetingType.MeetingTypeId INNER JOIN
CrmScheduleStatus ON CrmSchedule.ScheduleStatusId = CrmScheduleStatus.ScheduleStatusId INNER JOIN
Customers ON CrmSchedule.CustomerId = Customers.ID Where CrmSchedule.UserId='{0}'
Order By CrmSchedule.BeginDate Desc";

SqlDataSource1.SelectCommand = String.Format(commandText, PortalGlobals.UserID);

Open in new window


Or better yet, use SqlParameters (just not sure how to do that off the top of my head with the SqlDataSource, sorry).
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

 
Webboy2008Author Commented:
Error:

Compiler Error Message: CS0103: The name 'commandText' does not exist in the current context

Source Error:

 

Line 24:        + " Customers ON salesreps.CUSTOMER_ID = Customers.ID"
Line 25:          + " WHERE salesreps.USER_ID='{0}'";
Line 26:        SqlDataSource1.SelectCommand = String.Format(commandText,PortalGlobals.UserId);
Line 27:        
Line 28:
 
0
 
Webboy2008Author Commented:
Got it. Your point is coming.

Have another question if you interest to help:

http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_26889448.html
0
 
Webboy2008Author Commented:
Excellent Helps
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.