1

I have the following C#

protected void sprint_availability_ItemDeleting(object sender, ListViewDeleteEventArgs e)
    {
        string sprintid = "";
        Label lbl = (sprint_availability.Items[e.ItemIndex].FindControl("sprint_id_lbl")) as Label;
        if (lbl != null)
            sprintid = lbl.Text;

        string projectid = "";
        Label pid = (sprint_availability.Items[e.ItemIndex].FindControl("project_id_lbl")) as Label;
        if (pid != null)
            projectid = pid.Text;

        string ConnectionString = WebConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
        SqlConnection myConnection = new SqlConnection(ConnectionString);

        myConnection.Open();

        String query = "DELETE FROM sprints WHERE [sprint_id]  = '" + sprintid + "'";

        SqlCommand myCommand = new SqlCommand(query, myConnection);

        myCommand.ExecuteNonQuery();

        myConnection.Close();

        Response.Redirect("project.aspx?project_id="+ pid);
    }

The SQL Query works fine as it is deleting the row without any issue, however the redirect is redirecting to http://project.aspx?project_id=System.Web.UI.WebControls.Label

This is the section of the asp code which displays the label I am trying to call

<asp:Label Text='<%# Eval("project_id") %>' runat="server" ID="project_id_lbl" Visible="false"/><br />
Improve this question
2
  • 2
    pid is a Label, you probably want projectid instead: Response.Redirect("project.aspx?project_id="+ projectid); Commented Nov 4, 2015 at 20:44
  • 2
    You should use project_id="+ pid.Text); or project_id="+ projectid); Commented Nov 4, 2015 at 20:45

1 Answer 1

Reset to default
2

Pid is a Label, adding it to a string like you do in the redirect call invokes the class method ToString() and in case of a Label this method prints out the class name.

You need to use 

Response.Redirect("project.aspx?project_id="+ pid.Text);

However, in your code there is a potential bug that need to be fixed as soon as possible. Do not use string concatenation to build sql queries. Use a parameterized query

    string query = "DELETE FROM sprints WHERE [sprint_id]  = @id";
   string ConnectionString = WebConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
    using(SqlConnection myConnection = new SqlConnection(ConnectionString))
    using(SqlCommand myCommand(query, myConnection))
    {
        myConnection.Open();
        myCommand.Parameters.Add("@id", SqlDbType.NVarWChar).Value = sprintid;
        myCommand.ExecuteNonQuery();
    }

String concatenation leads to Sql Injections and to parsing problem. Albeit. in your case, this seems to be improbable it is better to use this approach everytime to avoid any pitfalls. Also enclosing the disposable objects like the connection and the command in a using statement ensures a proper closing and disposing of these objects

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you, this did the trick. Also, thank you for the heads up. I'm new to all things programming and databases so this is very useful to know

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.