public static string MakeResetRequest(string userId, string token)
{
try
{
string resetId = FooStringHelper.RandomString(16);
using (var conn = new NpgsqlConnection())
{
// App-DB connection.
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd = new NpgsqlCommand
{
CommandText =
"INSERT INTO Resets (resetId, userId, resetTime) VALUES (@RESETID, @USERID, @RESETTIME);",
CommandType = CommandType.Text,
Connection = conn
};
var resetParam = new NpgsqlParameter
{
ParameterName = "@RESETID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Direction = ParameterDirection.Input,
Value = resetId
};
cmd.Parameters.Add(resetParam);
var idParam = new NpgsqlParameter
{
ParameterName = "@USERID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Direction = ParameterDirection.Input,
Value = FooCryptHelper.Encrypt(userId, token)
};
cmd.Parameters.Add(idParam);
var timeParam = new NpgsqlParameter
{
ParameterName = "@RESETTIME",
NpgsqlDbType = NpgsqlDbType.Timestamp,
Direction = ParameterDirection.Input,
Value = DateTime.Now
};
cmd.Parameters.Add(timeParam);
cmd.ExecuteNonQuery();
cmd.Dispose();
return(resetId);
}
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
return(null);
}
}
protected void submitButton_Click(object sender, EventArgs e)
{
string alias = aliasText.Text;
string email = emailText.Text;
string address = addressText.Text;
string city = cityText.Text;
string country = countryText.Text;
string username = usernameText.Text;
string pass = passText.Text;
if (!String.IsNullOrEmpty(alias) && FooStringHelper.IsValidEmailAddress(email) &&
!String.IsNullOrEmpty(address) &&
!String.IsNullOrEmpty(city) && !String.IsNullOrEmpty(country) && !String.IsNullOrEmpty(username) &&
!String.IsNullOrEmpty(pass))
{
if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value))
{
string userId = FooStringHelper.RandomString(16);
if (!CheckIfUsernameExists(username) && !FooEmailHelper.CheckIfEmailExists(email, username))
{
errorPanel.Visible = false;
formPanel.Visible = false;
successPanel.Visible = true;
string defaultGroup = ConfigurationManager.AppSettings["User Group ID"] ?? "ri3EKpc5Z5gN4FEu";
bool insertedUser = RegisterNewUser(userId, alias, email, address, city, country, username, pass,
defaultGroup);
successLabel.Text = insertedUser
? "Your account has been successfully created. You can proceed to <a href=\"login.aspx\">log on</a>."
: "Failed to create account. The administrator has been notified. Please try again.";
errorPanel.Visible = false;
errorLabel.Text = "";
}
else
{
errorPanel.Visible = true;
errorLabel.Text = "Some details already exist in this application.";
}
}
else
{
errorPanel.Visible = true;
errorLabel.Text = "Invalid request.";
}
}
else
{
errorPanel.Visible = true;
errorLabel.Text = "Incomplete or invalid details.";
}
RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current);
}
protected void ReviewGrid_Delete(object sender, GridViewDeleteEventArgs e)
{
string merchId = FooStringHelper.RemoveInvalidChars(merchView.SelectedValue.ToString());
if (!FooStringHelper.IsValidAlphanumeric(merchId, 16))
{
errorLabel.Text = "Invalid request.";
Reset_Page(string.Empty);
return;
}
try
{
if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value))
{
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd = new NpgsqlCommand
{
CommandText = "DELETE FROM reviews WHERE reviewid= @REVIEWID",
CommandType = CommandType.Text,
Connection = conn
};
var param = new NpgsqlParameter
{
ParameterName = "@REVIEWID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value =
FooStringHelper.RemoveInvalidChars(
reviewGrid.DataKeys[e.RowIndex].Values[0].ToString())
};
cmd.Parameters.Add(param);
cmd.ExecuteNonQuery();
}
}
else
{
errorLabel.Text = "Invalid request.";
}
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator.";
}
Reset_Page(merchId);
}
protected void Page_Load(object sender, EventArgs e)
{
string catId = Request.QueryString["id"];
if (FooStringHelper.IsValidAlphanumeric(catId, 16))
{
Load_Forms(catId);
}
else
{
errorLabel.Text = "Invalid category.";
}
}
protected void Page_Load(object sender, EventArgs e)
{
string userId = FooStringHelper.RemoveInvalidChars(Request.QueryString["id"]);
if (FooStringHelper.IsValidAlphanumeric(userId, 16))
{
Load_Forms(userId);
}
else
{
errorLabel.Text = "Invalid user.";
}
}
protected void Load_Forms()
{
string userId = FooSessionHelper.GetUserObjectFromCookie(HttpContext.Current).UserId;
if (!FooStringHelper.IsValidAlphanumeric(userId, 16))
{
errorLabel.Text = "Invalid request.";
return;
}
try
{
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd =
new NpgsqlCommand(
"SELECT userid, useralias, email, address, city, country, profilebody, profileimg FROM users WHERE userid= @USERID",
conn);
var idParam = new NpgsqlParameter
{
ParameterName = "@USERID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = FooStringHelper.RemoveInvalidChars(userId)
};
cmd.Parameters.Add(idParam);
using (NpgsqlDataReader dr = cmd.ExecuteReader())
{
userView.DataSource = dr;
userView.DataBind();
}
}
errorLabel.Text = "";
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator.";
}
}
public static string SetToken(HttpContext context)
{
string value = FooStringHelper.RandomString(24);
string encryptedValue = FooCryptHelper.MachineEncrypt(value);
string cookieName = ConfigurationManager.AppSettings["CSRF Cookie Name"];
var ck = new HttpCookie(cookieName, encryptedValue)
{
Path = FormsAuthentication.FormsCookiePath
};
context.Response.Cookies.Add(ck);
return(value);
}
protected void Page_Load(object sender, EventArgs e)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
formPanel.Visible = false;
errorPanel.Visible = true;
errorLabel.Text =
"Please log out first, or reset your password in the <a href=\"edit_profile.aspx\">profile editor</a>.";
}
if (Page.IsPostBack)
{
return;
}
RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current);
string resetId = Request.QueryString["id"];
string token = Request.QueryString["token"];
if (FooStringHelper.IsValidAlphanumeric(resetId, 16) && FooStringHelper.IsValidAlphanumeric(token, 24))
{
string resetAccount = GetAccountForReset(resetId, token);
if (!String.IsNullOrEmpty(resetAccount))
{
formPanel.Visible = true;
}
else
{
errorPanel.Visible = true;
errorLabel.Text = "Invalid request.";
}
}
else
{
errorPanel.Visible = true;
errorLabel.Text = "Invalid request.";
}
}
protected void Page_Load(object sender, EventArgs e)
{
if (IsPostBack)
{
return;
}
string merchId = Request.QueryString["id"];
if (FooStringHelper.IsValidAlphanumeric(merchId, 16))
{
RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current);
Load_Forms(merchId);
}
else
{
errorLabel.Text = "Invalid item.";
}
}
public static bool IsValidRequest(HttpContext context, string formValue)
{
string cookieName = ConfigurationManager.AppSettings["CSRF Cookie Name"];
HttpCookie httpCookie = context.Request.Cookies[cookieName];
if (httpCookie != null)
{
string userToken = FooCryptHelper.MachineDecrypt(httpCookie.Value);
if (!FooStringHelper.IsValidAlphanumeric(userToken, 24) ||
!FooStringHelper.IsValidAlphanumeric(formValue, 24))
{
return(false);
}
return(userToken == formValue);
}
return(false);
}
protected void MerchGrid_SelectedIndexChanged(object sender, EventArgs e)
{
try
{
string merchId = merchGrid.Rows[merchGrid.SelectedIndex].Cells[0].Text;
if (!FooStringHelper.IsValidAlphanumeric(merchId, 16))
{
errorLabel.Text = "Invalid request.";
Reset_Page(string.Empty);
return;
}
Load_Forms(merchId);
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator.";
}
}
protected void submitButton_Click(object sender, EventArgs e)
{
string commentBody = commentText.Text;
string userId = FooSessionHelper.GetUserObjectFromCookie(HttpContext.Current).UserId;
string postId = Request.QueryString["id"];
if (!string.IsNullOrEmpty(commentBody))
{
try
{
if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value))
{
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd = new NpgsqlCommand
{
CommandText =
"INSERT INTO comments(commentid, commenttime, userid, postid, commentbody) VALUES (@COMMENTID, @COMMENTTIME, @USERID, @POSTID, @COMMENTBODY)",
CommandType = CommandType.Text,
Connection = conn
};
var idParam = new NpgsqlParameter
{
ParameterName = "@COMMENTID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = FooStringHelper.RandomString(16)
};
cmd.Parameters.Add(idParam);
var timeParam = new NpgsqlParameter
{
ParameterName = "@COMMENTTIME",
NpgsqlDbType = NpgsqlDbType.Timestamp,
Size = 32,
Direction = ParameterDirection.Input,
Value = DateTime.Now
};
cmd.Parameters.Add(timeParam);
var userParam = new NpgsqlParameter
{
ParameterName = "@USERID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = FooStringHelper.RemoveInvalidChars(userId)
};
cmd.Parameters.Add(userParam);
var postParam = new NpgsqlParameter
{
ParameterName = "@POSTID",
NpgsqlDbType = NpgsqlDbType.Integer,
Size = 16,
Direction = ParameterDirection.Input,
Value = FooStringHelper.RemoveInvalidChars(postId)
};
cmd.Parameters.Add(postParam);
var bodyParam = new NpgsqlParameter
{
ParameterName = "@COMMENTBODY",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 1024,
Direction = ParameterDirection.Input,
Value = commentBody
};
cmd.Parameters.Add(bodyParam);
cmd.ExecuteNonQuery();
cmd.Dispose();
commentText.Text = "";
commentErrorLabel.Text = "";
}
}
else
{
errorLabel.Text = "Invalid request.";
}
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
commentErrorLabel.Text =
"Something has gone wrong. A log has been forwarded to the site administrator.";
}
Load_Forms();
}
else
{
commentErrorLabel.Text = "Incomplete input.";
}
RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current);
}
protected void genButton_Click(object sender, EventArgs e)
{
outLabel.Text = FooStringHelper.RandomString(int.Parse(lenBox.Text));
}
protected void GridView_Update(object sender, GridViewUpdateEventArgs e)
{
string userId = userGrid.DataKeys[e.RowIndex].Values[0].ToString();
if (!FooStringHelper.IsValidAlphanumeric(userId, 16))
{
errorLabel.Text = "Invalid request.";
Reset_Page();
return;
}
var txtUserName = (TextBox)userGrid.Rows[e.RowIndex].FindControl("txtUserName");
var txtUserAlias = (TextBox)userGrid.Rows[e.RowIndex].FindControl("txtUserAlias");
var txtEmail = (TextBox)userGrid.Rows[e.RowIndex].FindControl("txtEmail");
var groupDropdown = (DropDownList)userGrid.Rows[e.RowIndex].FindControl("groupDropdown");
if (!string.IsNullOrEmpty(txtUserName.Text) && !string.IsNullOrEmpty(txtUserAlias.Text) &&
!string.IsNullOrEmpty(txtEmail.Text) && FooStringHelper.IsValidEmailAddress(txtEmail.Text))
{
try
{
if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value))
{
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd = new NpgsqlCommand
{
CommandText =
"UPDATE users SET (username, useralias, groupid, email) = (@NAME, @USERALIAS, @GROUP, @EMAIL) WHERE userID= @USERID",
CommandType = CommandType.Text,
Connection = conn
};
var param = new NpgsqlParameter
{
ParameterName = "@USERID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = userId
};
cmd.Parameters.Add(param);
var nameParam = new NpgsqlParameter
{
ParameterName = "@USERNAME",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 32,
Direction = ParameterDirection.Input,
Value = txtUserName.Text
};
cmd.Parameters.Add(nameParam);
var dispParam = new NpgsqlParameter
{
ParameterName = "@USERALIAS",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 32,
Direction = ParameterDirection.Input,
Value = txtUserAlias.Text
};
cmd.Parameters.Add(dispParam);
var emailParam = new NpgsqlParameter
{
ParameterName = "@EMAIL",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 64,
Direction = ParameterDirection.Input,
Value = txtEmail.Text
};
cmd.Parameters.Add(emailParam);
var groupParam = new NpgsqlParameter
{
ParameterName = "@GROUP",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = groupDropdown.SelectedValue
};
cmd.Parameters.Add(groupParam);
cmd.ExecuteNonQuery();
}
}
else
{
errorLabel.Text = "Invalid request.";
}
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator.";
}
}
else
{
errorLabel.Text = "Incomplete or invalid input.";
}
Reset_Page();
}
protected void submitButton_Click(object sender, EventArgs e)
{
string email = emailText.Text.Trim();
if (!String.IsNullOrEmpty(email) || !FooStringHelper.IsValidEmailAddress(email))
{
if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value))
{
if (FooEmailHelper.CheckIfEmailExists(email, null))
{
UserObject user = GetUserObjByEmail(email);
if (user != null)
{
string resetToken = FooStringHelper.RandomString(24);
string resetId = MakeResetRequest(user.UserId, resetToken);
string resetUrl = FooStringHelper.MakeResetUrl(resetId, resetToken);
string emailBody =
String.Format(
"Hi {0},<br/><br/>Your FooBlog password for account '{1}' can be reset by visiting the following link:<br/><br/><a href=\"{2}\">{3}</a><br/><br/>The link is valid for 24 hours. If you did not request this reset, simply do not visit the link - your current password will remain unchanged.<br/><br/>Cheers,<br/>The FooBlog Team.",
user.UserAlias, user.Username, resetUrl, resetUrl);
const string emailSubject = "FooBlog Password Reset";
var mailObj = new EmailObject {
Body = emailBody, Subject = emailSubject, ToAddress = email
};
bool sendMail = FooEmailHelper.SendEmail(mailObj);
if (sendMail)
{
errorPanel.Visible = false;
formPanel.Visible = false;
successPanel.Visible = true;
successLabel.Text = "A reset link has been sent to your registered email account.";
}
}
else
{
errorPanel.Visible = true;
errorLabel.Text = "Invalid details.";
}
}
else
{
errorPanel.Visible = true;
errorLabel.Text = "Invalid request.";
}
}
else
{
errorPanel.Visible = true;
errorLabel.Text = "Invalid details.";
}
}
else
{
errorPanel.Visible = true;
errorLabel.Text = "Incomplete or invalid details.";
}
RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current);
}
protected void CategoryGrid_Command(object sender, GridViewCommandEventArgs e)
{
int postId = Convert.ToInt32(postView.SelectedValue);
var txtCatNameFooter = (TextBox)categoryGrid.FooterRow.FindControl("txtCatNameFooter");
if (!string.IsNullOrEmpty(txtCatNameFooter.Text))
{
try
{
if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value))
{
if (e.CommandName.Equals("AddNew"))
{
// Define connection string.
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd = new NpgsqlCommand
{
CommandText =
"INSERT INTO categories(catid, catname) VALUES (@CATID, @NAME)",
CommandType = CommandType.Text,
Connection = conn
};
var idParam = new NpgsqlParameter
{
ParameterName = "@CATID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = FooStringHelper.RandomString(16)
};
cmd.Parameters.Add(idParam);
var nameParam = new NpgsqlParameter
{
ParameterName = "@NAME",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 32,
Direction = ParameterDirection.Input,
Value = txtCatNameFooter.Text
};
cmd.Parameters.Add(nameParam);
cmd.ExecuteNonQuery();
cmd.Dispose();
}
}
}
else
{
errorLabel.Text = "Invalid request.";
}
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator.";
}
}
else
{
errorLabel.Text = "Incomplete or invalid input.";
}
Reset_Page(postId);
}
protected void CategoryGrid_Update(object sender, GridViewUpdateEventArgs e)
{
int postId = Convert.ToInt32(postView.SelectedValue);
var txtCatName = (TextBox)categoryGrid.Rows[e.RowIndex].FindControl("txtCatName");
if (!string.IsNullOrEmpty(txtCatName.Text))
{
try
{
if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value))
{
// Define connection string.
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd = new NpgsqlCommand
{
CommandText =
"UPDATE categories SET catname= @NAME WHERE catid= @CATID",
CommandType = CommandType.Text,
Connection = conn
};
var nameParam = new NpgsqlParameter
{
ParameterName = "@NAME",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 32,
Direction = ParameterDirection.Input,
Value = txtCatName.Text
};
cmd.Parameters.Add(nameParam);
var idParam = new NpgsqlParameter
{
ParameterName = "@CATID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value =
FooStringHelper.RemoveInvalidChars(
categoryGrid.DataKeys[e.RowIndex].Values[0].ToString())
};
cmd.Parameters.Add(idParam);
cmd.ExecuteNonQuery();
}
}
else
{
errorLabel.Text = "Invalid request.";
}
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator.";
}
}
else
{
errorLabel.Text = "Incomplete or invalid input.";
}
Reset_Page(postId);
}
protected void CategoryGrid_Delete(object sender, GridViewDeleteEventArgs e)
{
int postId = Convert.ToInt32(postView.SelectedValue);
try
{
if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value))
{
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd = new NpgsqlCommand
{
CommandText = "DELETE FROM posts WHERE catid= @CATID",
CommandType = CommandType.Text,
Connection = conn
};
var param = new NpgsqlParameter
{
ParameterName = "@CATID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value =
FooStringHelper.RemoveInvalidChars(
categoryGrid.DataKeys[e.RowIndex].Values[0].ToString())
};
cmd.Parameters.Add(param);
cmd.ExecuteNonQuery();
}
// Define connection string.
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd = new NpgsqlCommand
{
CommandText = "DELETE FROM categories WHERE catid= @CATID",
CommandType = CommandType.Text,
Connection = conn
};
var param = new NpgsqlParameter
{
ParameterName = "@CATID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value =
FooStringHelper.RemoveInvalidChars(
categoryGrid.DataKeys[e.RowIndex].Values[0].ToString())
};
cmd.Parameters.Add(param);
cmd.ExecuteNonQuery();
}
}
else
{
errorLabel.Text = "Invalid request.";
}
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator.";
}
Reset_Page(postId);
}
protected void Load_Forms(string merchId)
{
if (merchId != string.Empty && !FooStringHelper.IsValidAlphanumeric(merchId, 16))
{
errorLabel.Text = "Invalid request.";
return;
}
try
{
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd = new NpgsqlCommand();
if (String.IsNullOrEmpty(merchId))
{
cmd.CommandText =
"SELECT merchid, merchname, merchbrief, merchbody, merchprice, merchimg, merchenabled FROM merchandise ORDER BY merchid DESC LIMIT 1";
cmd.Connection = conn;
}
else
{
cmd.CommandText =
"SELECT merchid, merchname, merchbrief, merchbody, merchprice, merchimg, merchenabled FROM merchandise WHERE merchid= @MERCHID";
cmd.Connection = conn;
var idParam = new NpgsqlParameter
{
ParameterName = "@MERCHID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = merchId
};
cmd.Parameters.Add(idParam);
}
var da = new NpgsqlDataAdapter(cmd);
var ds = new DataSet();
da.Fill(ds);
merchView.DataSource = ds;
merchView.DataBind();
}
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd =
new NpgsqlCommand(
"SELECT merchid, merchname FROM merchandise",
conn);
var da = new NpgsqlDataAdapter(cmd);
var ds = new DataSet();
da.Fill(ds);
merchGrid.DataSource = ds;
merchGrid.DataBind();
}
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd =
new NpgsqlCommand(
"SELECT T1.reviewid, T1.reviewtime, T1.userid, T1.merchid, T1.reviewbody, T2.userid, T2.useralias, T3.merchid, T3.merchname FROM reviews AS T1 LEFT OUTER JOIN users AS T2 ON T1.userid = T2.userid LEFT OUTER JOIN merchandise AS T3 ON T1.merchid = T3.merchid",
conn);
var da = new NpgsqlDataAdapter(cmd);
var ds = new DataSet();
da.Fill(ds);
reviewGrid.DataSource = ds;
reviewGrid.DataBind();
}
errorLabel.Text = "";
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator.";
}
}
protected void submitButton_Click(object sender, EventArgs e)
{
string reviewBody = reviewText.Text;
string userId = FooSessionHelper.GetUserObjectFromCookie(HttpContext.Current).UserId;
string merchId = Request.QueryString["id"];
if (string.IsNullOrEmpty(reviewBody))
{
RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current);
reviewErrorLabel.Text = "Incomplete input.";
return;
}
if (!FooStringHelper.IsValidAlphanumeric(merchId, 16))
{
RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current);
reviewErrorLabel.Text = "Invalid input.";
return;
}
try
{
if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value))
{
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd = new NpgsqlCommand
{
CommandText =
"INSERT INTO reviews(reviewid, reviewtime, userid, merchid, reviewbody) VALUES (@REVIEWID, @REVIEWTIME, @USERID, @MERCHID, @REVIEWBODY)",
CommandType = CommandType.Text,
Connection = conn
};
var idParam = new NpgsqlParameter
{
ParameterName = "@REVIEWID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = FooStringHelper.RandomString(16)
};
cmd.Parameters.Add(idParam);
var timeParam = new NpgsqlParameter
{
ParameterName = "@REVIEWTIME",
NpgsqlDbType = NpgsqlDbType.Timestamp,
Size = 32,
Direction = ParameterDirection.Input,
Value = DateTime.Now
};
cmd.Parameters.Add(timeParam);
var userParam = new NpgsqlParameter
{
ParameterName = "@USERID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = FooStringHelper.RemoveInvalidChars(userId)
};
cmd.Parameters.Add(userParam);
var merchParam = new NpgsqlParameter
{
ParameterName = "@MERCHID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = merchId
};
cmd.Parameters.Add(merchParam);
var bodyParam = new NpgsqlParameter
{
ParameterName = "@REVIEWBODY",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 1024,
Direction = ParameterDirection.Input,
Value = reviewBody
};
cmd.Parameters.Add(bodyParam);
cmd.ExecuteNonQuery();
cmd.Dispose();
reviewErrorLabel.Text = "";
reviewText.Text = "";
}
}
else
{
errorLabel.Text = "Invalid request.";
}
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
reviewErrorLabel.Text =
"Something has gone wrong. A log has been forwarded to the site administrator.";
}
RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current);
Load_Forms(merchId);
}
protected void Insert_NewImage(string fileName, string userId)
{
try
{
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd =
new NpgsqlCommand(
"SELECT profileimg FROM users WHERE userid= @USERID",
conn);
var idParam = new NpgsqlParameter
{
ParameterName = "@USERID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = userId
};
cmd.Parameters.Add(idParam);
NpgsqlDataReader dr = cmd.ExecuteReader();
string imageFile = string.Empty;
while (dr.Read())
{
imageFile = dr["profileimg"].ToString();
}
dr.Close();
if (imageFile != string.Empty && imageFile != "profile_default.jpg")
{
string path = HttpContext.Current.Server.MapPath("~/uploads");
string currentFile = Path.Combine(path, imageFile);
File.Delete(currentFile);
}
}
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd =
new NpgsqlCommand(
"UPDATE users SET (profileimg) = (@PROFILEIMG) WHERE userid= @USERID",
conn);
var idParam = new NpgsqlParameter
{
ParameterName = "@USERID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = FooStringHelper.RemoveInvalidChars(userId)
};
cmd.Parameters.Add(idParam);
var imgParam = new NpgsqlParameter
{
ParameterName = "@PROFILEIMG",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 64,
Direction = ParameterDirection.Input,
Value = fileName
};
cmd.Parameters.Add(imgParam);
cmd.ExecuteNonQuery();
}
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator.";
}
}
protected void Insert_NewImage(string merchId, HttpPostedFile file)
{
string fileName = "profile_default.jpg";
string path = HttpContext.Current.Server.MapPath("~/uploads");
if (!Directory.Exists(path))
{
Directory.CreateDirectory(path);
}
if (file != null)
{
var uploadCompleted = false;
byte[] fileBytes = FooFileHelper.GetFileBytesFromHttpStream(file);
if (FooFileHelper.IsImage(fileBytes) && fileBytes.Length < 2097152)
{
if (HttpContext.Current.Request.Browser.Browser.ToUpper() == "IE")
{
string[] files = file.FileName.Split(new[] { '\\' });
fileName = files[files.Length - 1];
}
else
{
fileName = file.FileName;
}
fileName = FooStringHelper.RandomFileName(fileName);
string filePath = Path.Combine(path, fileName);
try
{
File.WriteAllBytes(filePath, fileBytes);
uploadCompleted = true;
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
errorLabel.Text = "Upload failed.";
}
}
else
{
errorLabel.Text = "Invalid file.";
}
if (uploadCompleted)
{
try
{
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd =
new NpgsqlCommand(
"SELECT merchimg FROM merchandise WHERE merchid= @MERCHID",
conn);
var idParam = new NpgsqlParameter
{
ParameterName = "@MERCHID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = merchId
};
cmd.Parameters.Add(idParam);
NpgsqlDataReader dr = cmd.ExecuteReader();
string imageFile = string.Empty;
while (dr.Read())
{
imageFile = dr["merchimg"].ToString();
}
dr.Close();
if (imageFile != string.Empty && imageFile != "merch_default.jpg")
{
string currentFile = Path.Combine(path, imageFile);
if (File.Exists(currentFile))
{
File.Delete(currentFile);
}
}
}
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd =
new NpgsqlCommand(
"UPDATE merchandise SET (merchimg) = (@MERCHIMG) WHERE merchid= @MERCHID",
conn);
var idParam = new NpgsqlParameter
{
ParameterName = "@MERCHID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = merchId
};
cmd.Parameters.Add(idParam);
var imgParam = new NpgsqlParameter
{
ParameterName = "@MERCHIMG",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 64,
Direction = ParameterDirection.Input,
Value = fileName
};
cmd.Parameters.Add(imgParam);
cmd.ExecuteNonQuery();
}
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
errorLabel.Text =
"Something has gone wrong. A log has been forwarded to the site administrator.";
}
}
}
}
protected void MerchView_Databound(object sender, EventArgs e)
{
if (merchView.CurrentMode == DetailsViewMode.ReadOnly && merchView.Rows.Count > 1)
{
var merchEnabledLabel = (Label)merchView.FindControl("merchEnabledLabel");
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd =
new NpgsqlCommand(
"SELECT merchenabled FROM merchandise WHERE merchid= @MERCHID",
conn);
var idParam = new NpgsqlParameter
{
ParameterName = "@MERCHID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = FooStringHelper.RemoveInvalidChars(merchView.SelectedValue.ToString())
};
cmd.Parameters.Add(idParam);
bool postEnabled = Convert.ToBoolean(cmd.ExecuteScalar());
merchEnabledLabel.Text = postEnabled ? "Yes" : "No";
}
}
else
{
var merchEnabledCheckbox = (CheckBox)merchView.FindControl("merchEnabledCheckbox");
try
{
if (merchView.CurrentMode == DetailsViewMode.Edit)
{
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd =
new NpgsqlCommand(
"SELECT merchenabled FROM merchandise WHERE merchid= @MERCHID",
conn);
var idParam = new NpgsqlParameter
{
ParameterName = "@MERCHID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = FooStringHelper.RemoveInvalidChars(merchView.SelectedValue.ToString())
};
cmd.Parameters.Add(idParam);
NpgsqlDataReader dr = cmd.ExecuteReader();
while (dr.Read())
{
merchEnabledCheckbox.Checked = Convert.ToBoolean(dr["merchenabled"]);
}
dr.Close();
}
}
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
string merchId = merchView.SelectedValue.ToString();
if (!FooStringHelper.IsValidAlphanumeric(merchId, 16))
{
errorLabel.Text = "Invalid request.";
Reset_Page(string.Empty);
return;
}
Reset_Page(merchId);
errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator.";
}
}
}
protected void MerchView_ItemInserting(object sender, DetailsViewInsertEventArgs e)
{
string merchId = FooStringHelper.RandomString(16);
var txtMerchName = (TextBox)merchView.FindControl("txtMerchName");
var txtMerchPrice = (TextBox)merchView.FindControl("txtMerchPrice");
var txtMerchBrief = (TextBox)merchView.FindControl("txtMerchBrief");
var txtMerchBody = (TextBox)merchView.FindControl("txtMerchBody");
var imageUploadForm = (FileUpload)merchView.FindControl("imageUploadForm");
var merchEnabledCheckbox = (CheckBox)merchView.FindControl("merchEnabledCheckbox");
if (!string.IsNullOrEmpty(txtMerchName.Text) && !string.IsNullOrEmpty(txtMerchPrice.Text) &&
FooStringHelper.IsValidPrice(txtMerchPrice.Text) && !string.IsNullOrEmpty(txtMerchBrief.Text) &&
!string.IsNullOrEmpty(txtMerchBody.Text))
{
try
{
if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value))
{
// Define connection string.
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd = new NpgsqlCommand
{
CommandText =
"INSERT INTO merchandise (merchid, merchname, merchprice, merchbrief, merchbody, merchenabled) VALUES (@MERCHID, @MERCHNAME, @MERCHPRICE, @MERCHBRIEF, @MERCHBODY, @MERCHENABLED)",
CommandType = CommandType.Text,
Connection = conn
};
var idParam = new NpgsqlParameter
{
ParameterName = "@MERCHID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = merchId
};
cmd.Parameters.Add(idParam);
var nameParam = new NpgsqlParameter
{
ParameterName = "@MERCHNAME",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 64,
Direction = ParameterDirection.Input,
Value = txtMerchName.Text
};
cmd.Parameters.Add(nameParam);
var priceParam = new NpgsqlParameter
{
ParameterName = "@MERCHPRICE",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 8,
Direction = ParameterDirection.Input,
Value = txtMerchPrice.Text
};
cmd.Parameters.Add(priceParam);
var briefParam = new NpgsqlParameter
{
ParameterName = "@MERCHBRIEF",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 1024,
Direction = ParameterDirection.Input,
Value = txtMerchBrief.Text
};
cmd.Parameters.Add(briefParam);
var bodyParam = new NpgsqlParameter
{
ParameterName = "@MERCHBODY",
NpgsqlDbType = NpgsqlDbType.Varchar,
Direction = ParameterDirection.Input,
Value = txtMerchBody.Text
};
cmd.Parameters.Add(bodyParam);
var enabledParam = new NpgsqlParameter
{
ParameterName = "@MERCHENABLED",
NpgsqlDbType = NpgsqlDbType.Boolean,
Direction = ParameterDirection.Input,
Value = merchEnabledCheckbox.Checked
};
cmd.Parameters.Add(enabledParam);
cmd.ExecuteNonQuery();
cmd.Dispose();
}
if (imageUploadForm.HasFile)
{
HttpPostedFile file = HttpContext.Current.Request.Files[0];
Insert_NewImage(merchId, file);
}
else
{
Insert_NewImage(merchId, null);
}
}
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator.";
}
}
else
{
errorLabel.Text = "Incomplete or invalid input.";
}
Reset_Page(string.Empty);
}
protected void GridView_Command(object sender, GridViewCommandEventArgs e)
{
string userId = FooStringHelper.RandomString(16);
var txtUserNameFooter = (TextBox)userGrid.FooterRow.FindControl("txtUserNameFooter");
var txtUserAliasFooter = (TextBox)userGrid.FooterRow.FindControl("txtUserAliasFooter");
var txtEmailFooter = (TextBox)userGrid.FooterRow.FindControl("txtEmailFooter");
var txtUserPasswordFooter = (TextBox)userGrid.FooterRow.FindControl("txtUserPasswordFooter");
var groupDropdownFooter = (DropDownList)userGrid.FooterRow.FindControl("groupDropdownFooter");
if (!string.IsNullOrEmpty(txtUserNameFooter.Text) && !string.IsNullOrEmpty(txtUserAliasFooter.Text) &&
!string.IsNullOrEmpty(txtEmailFooter.Text) && FooStringHelper.IsValidEmailAddress(txtEmailFooter.Text) &&
!string.IsNullOrEmpty(txtUserPasswordFooter.Text))
{
try
{
if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value))
{
if (e.CommandName.Equals("AddNew"))
{
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd = new NpgsqlCommand
{
CommandText =
"INSERT INTO users(userid,username,useralias,groupid,email,passwordhash,profileimg) VALUES (@USERID,@NAME,@DISP,@GROUP,@EMAIL,@HASH,'profile_default.jpg')",
CommandType = CommandType.Text,
Connection = conn
};
var userIdParam = new NpgsqlParameter
{
ParameterName = "@USERID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = userId
};
cmd.Parameters.Add(userIdParam);
var nameParam = new NpgsqlParameter
{
ParameterName = "@NAME",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 32,
Direction = ParameterDirection.Input,
Value = txtUserNameFooter.Text
};
cmd.Parameters.Add(nameParam);
var dispParam = new NpgsqlParameter
{
ParameterName = "@DISP",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 32,
Direction = ParameterDirection.Input,
Value = txtUserAliasFooter.Text
};
cmd.Parameters.Add(dispParam);
var groupParam = new NpgsqlParameter
{
ParameterName = "@GROUP",
NpgsqlDbType = NpgsqlDbType.Varchar,
Direction = ParameterDirection.Input,
Value = groupDropdownFooter.SelectedValue
};
cmd.Parameters.Add(groupParam);
var emailParam = new NpgsqlParameter
{
ParameterName = "@EMAIL",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 64,
Direction = ParameterDirection.Input,
Value = txtEmailFooter.Text
};
cmd.Parameters.Add(emailParam);
var hashParam = new NpgsqlParameter
{
ParameterName = "@HASH",
NpgsqlDbType = NpgsqlDbType.Varchar,
Direction = ParameterDirection.Input,
Value = FooCryptHelper.CreateShaHash(txtUserPasswordFooter.Text)
};
cmd.Parameters.Add(hashParam);
cmd.ExecuteNonQuery();
cmd.Dispose();
}
}
}
else
{
errorLabel.Text = "Invalid request.";
}
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator.";
}
}
else
{
errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator.";
}
Reset_Page();
}
protected void UserView_ItemUpdating(object sender, DetailsViewUpdateEventArgs e)
{
UserObject userObj = FooSessionHelper.GetUserObjectFromCookie(HttpContext.Current);
string userId = userObj.UserId;
string userName = userObj.Username;
if (!FooStringHelper.IsValidAlphanumeric(userId, 16))
{
errorLabel.Text = "Invalid request.";
Reset_Page();
return;
}
var txtUserAlias = (TextBox)userView.FindControl("txtUserAlias");
var txtUserEmail = (TextBox)userView.FindControl("txtUserEmail");
var txtUserAddress = (TextBox)userView.FindControl("txtUserAddress");
var txtUserCity = (TextBox)userView.FindControl("txtUserCity");
var txtUserCountry = (TextBox)userView.FindControl("txtUserCountry");
var txtUserBody = (TextBox)userView.FindControl("txtUserBody");
var imageUploadForm = (FileUpload)userView.FindControl("imageUploadForm");
if (!string.IsNullOrEmpty(txtUserAlias.Text) && !string.IsNullOrEmpty(txtUserEmail.Text) &&
!string.IsNullOrEmpty(txtUserAddress.Text) && !string.IsNullOrEmpty(txtUserCity.Text) &&
!string.IsNullOrEmpty(txtUserCountry.Text) && !string.IsNullOrEmpty(txtUserBody.Text) &&
!string.IsNullOrEmpty(txtUserEmail.Text) && FooStringHelper.IsValidEmailAddress(txtUserEmail.Text) &&
!FooEmailHelper.CheckIfEmailExists(txtUserEmail.Text, userName))
{
try
{
if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value))
{
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd = new NpgsqlCommand
{
CommandText =
"UPDATE users SET (useralias, email, address, city, country, profilebody) = (@USERALIAS, @EMAIL, @ADDRESS, @CITY, @COUNTRY, @PROFILEBODY) WHERE userid= @USERID",
CommandType = CommandType.Text,
Connection = conn
};
var idParam = new NpgsqlParameter
{
ParameterName = "@USERID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = FooStringHelper.RemoveInvalidChars(userId)
};
cmd.Parameters.Add(idParam);
var aliasParam = new NpgsqlParameter
{
ParameterName = "@USERALIAS",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 32,
Direction = ParameterDirection.Input,
Value = txtUserAlias.Text
};
cmd.Parameters.Add(aliasParam);
var emailParam = new NpgsqlParameter
{
ParameterName = "@EMAIL",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 64,
Direction = ParameterDirection.Input,
Value = txtUserEmail.Text
};
cmd.Parameters.Add(emailParam);
var addressParam = new NpgsqlParameter
{
ParameterName = "@ADDRESS",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 128,
Direction = ParameterDirection.Input,
Value = txtUserAddress.Text
};
cmd.Parameters.Add(addressParam);
var cityParam = new NpgsqlParameter
{
ParameterName = "@CITY",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 32,
Direction = ParameterDirection.Input,
Value = txtUserCity.Text
};
cmd.Parameters.Add(cityParam);
var countryParam = new NpgsqlParameter
{
ParameterName = "@COUNTRY",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 32,
Direction = ParameterDirection.Input,
Value = txtUserCountry.Text
};
cmd.Parameters.Add(countryParam);
var bodyParam = new NpgsqlParameter
{
ParameterName = "@PROFILEBODY",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 1024,
Direction = ParameterDirection.Input,
Value = txtUserBody.Text
};
cmd.Parameters.Add(bodyParam);
cmd.ExecuteNonQuery();
cmd.Dispose();
}
if (imageUploadForm.HasFile)
{
string path = HttpContext.Current.Server.MapPath("~/uploads");
if (!Directory.Exists(path))
{
Directory.CreateDirectory(path);
}
HttpPostedFile file = HttpContext.Current.Request.Files[0];
if (file.ContentLength < 2097152)
{
string fileName;
if (HttpContext.Current.Request.Browser.Browser.ToUpper() == "IE")
{
string[] files = file.FileName.Split(new[] { '\\' });
fileName = files[files.Length - 1];
}
else
{
fileName = file.FileName;
}
fileName = FooStringHelper.RandomFileName(fileName);
string filePath = Path.Combine(path, fileName);
try
{
file.SaveAs(filePath);
Insert_NewImage(fileName, userId);
Reset_Page();
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
errorLabel.Text = "Upload failed.";
}
}
else
{
errorLabel.Text = "Invalid file.";
}
}
}
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator.";
}
}
else
{
errorLabel.Text = "Incomplete or invalid input.";
}
Reset_Page();
}
