1

I am currently developing a web application and I want to show the current logged in users details. When the users logs in I have created a new session and I am trying to use this to validate the current user and display their details. The C# code is shown below.

protected void Page_Load(object sender, EventArgs e)
    {
        try
        {
            SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
            conn.Open();
            string detailsQuery = "select * FROM [Customer] where Customer_No ='" + Session["New"] + "'";
            SqlCommand com = new SqlCommand(detailsQuery, conn);
            com.ExecuteNonQuery();                
            Response.Write("Details Showing");
            conn.Close();
        }
        catch (Exception ex)
        {
            Response.Write("Error:" + ex.ToString());
        }
    }

I can easily show all the customers details but I can't figure out how to show the current logged in user. I would be grateful for any help.

mason
  • 30,041
  • 9
  • 73
  • 113
colliec
  • 35
  • 4
  • I don't understand what your problem is. You say "I can easily show all the customers details" but you don't have any code to do that. – mason Jan 26 '15 at 17:07
  • I can do this using the table wizard in the toolbox visual studio. – colliec Jan 26 '15 at 17:10

2 Answers2

1

You need to get the data into the UI. The GridView control makes this easy. It can automatically generate an HTML table based on data that is bound to it. We're going declare a GridView in the markup, select our data into a DataTable, then bind the DataTable to the GridView.

<asp:GridView runat="server" id="CustomerDetailsGV" AutoGenerateColumns="true" />

Code behind:

SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
conn.Open();
string detailsQuery = "select * FROM [Customer] where Customer_No ='" + Session["New"] + "'";
SqlCommand com = new SqlCommand(detailsQuery, conn);
DataTable dt = new DataTable();
dt.Load(com.ExecuteReader());   
CustomerDetailsGV.DataSource = dt;
CustomerDetailsGV.DataBind();             
conn.Close();

You should also wrap your SqlConnection in a using statement.

string detailsQuery = "select * FROM [Customer] where Customer_No ='" + Session["New"] + "'";
SqlCommand com = new SqlCommand(detailsQuery);
DataTable dt = new DataTable();
using (var conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString)
{
    com.Connection = conn;
    conn.Open();                
    dt.Load(com.ExecuteReader());                       
}
CustomerDetailsGV.DataSource = dt;
CustomerDetailsGV.DataBind();

You may find this a useful function to keep around:

/// <summary>
/// Executes a database command with the specified connection and returns a data table synchronously.
/// </summary>
/// <param name="command">The command to execute.</param>
/// <param name="connection">The connection to use.</param>
/// <returns>A DataTable representing the command results.</returns>
public static DataTable GetDataTable(SqlCommand command, SqlConnection connection)
{
    DataTable dt = new DataTable();
    command.Connection = connection;
    using (connection)
    {
        connection.Open();
        dt.Load(command.ExecuteReader());
    }
    return dt;
}

Using the above function, your code can be simplified to this:

string detailsQuery = "select * FROM [Customer] where Customer_No ='" + Session["New"] + "'";
SqlCommand com = new SqlCommand(detailsQuery);
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
CustomerDetailsGV.DataSource = GetDataTable(com, con);
CustomerDetailsGV.DataBind();
mason
  • 30,041
  • 9
  • 73
  • 113
  • Thanks the help is greatly appreciated. – colliec Jan 26 '15 at 17:53
  • @colliec Ah, one last thing. When you load the data, you should do that all within an `if(!IsPostBack){ /* your code here */ }` block. Otherwise upon postback, the data will be reloaded, which is probably not what you want. – mason Jan 26 '15 at 17:56
  • @AndrewGrinder You should direct that comment to colliec by using the `@` syntax. – mason Jan 26 '15 at 18:56
  • You should also be using Parameterized Queries which can be viewed here: dotnetperls.com/sqlparameter. This will avoid any SQL Injection attacks. "Code like everyone is the thief." - Bawan in thecodelesscode.com/case/140 (Heartbleed) Again about parameterized queries: an older answer for a query question: http://stackoverflow.com/questions/19258148/c-sharp-login-screen-find-user-in-sql-table-and-update-field/19258978#19258978 @colliec – Andrew Grinder Jan 26 '15 at 19:01
-1

Each person on your webpage can be identified by the Session.SessionID string. Microsoft Session.sessionID explanation. In your Customer table, add a SessionID field (SQL Varchar(70)). When the Customer logs in, update the session.sessionID for that Customer. If you want to display the current customer's information to the screen, just supply their Session.sessionID.

protected void Page_Load(object sender, EventArgs e)
{
    try
    {
        SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
        conn.Open();
        string detailsQuery = "select * FROM [Customer] where SessionID ='" + Session.SessionID + "'";
        SqlCommand com = new SqlCommand(detailsQuery, conn);
        com.ExecuteNonQuery();                
        Response.Write("Details Showing");
        conn.Close();
    }
    catch (Exception ex)
    {
        Response.Write("Error:" + ex.ToString());
    }
}
Lolli
  • 74
  • 6