protected void ReviewGrid_Delete(object sender, GridViewDeleteEventArgs e) { string merchId = FooStringHelper.RemoveInvalidChars(merchView.SelectedValue.ToString()); if (!FooStringHelper.IsValidAlphanumeric(merchId, 16)) { errorLabel.Text = "Invalid request."; Reset_Page(string.Empty); return; } try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "DELETE FROM reviews WHERE reviewid= @REVIEWID", CommandType = CommandType.Text, Connection = conn }; var param = new NpgsqlParameter { ParameterName = "@REVIEWID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars( reviewGrid.DataKeys[e.RowIndex].Values[0].ToString()) }; cmd.Parameters.Add(param); cmd.ExecuteNonQuery(); } } else { errorLabel.Text = "Invalid request."; } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } Reset_Page(merchId); }
protected void Page_Load(object sender, EventArgs e) { string userId = FooStringHelper.RemoveInvalidChars(Request.QueryString["id"]); if (FooStringHelper.IsValidAlphanumeric(userId, 16)) { Load_Forms(userId); } else { errorLabel.Text = "Invalid user."; } }
protected void Load_Forms() { string userId = FooSessionHelper.GetUserObjectFromCookie(HttpContext.Current).UserId; if (!FooStringHelper.IsValidAlphanumeric(userId, 16)) { errorLabel.Text = "Invalid request."; return; } try { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand( "SELECT userid, useralias, email, address, city, country, profilebody, profileimg FROM users WHERE userid= @USERID", conn); var idParam = new NpgsqlParameter { ParameterName = "@USERID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars(userId) }; cmd.Parameters.Add(idParam); using (NpgsqlDataReader dr = cmd.ExecuteReader()) { userView.DataSource = dr; userView.DataBind(); } } errorLabel.Text = ""; } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } }
protected void submitButton_Click(object sender, EventArgs e) { string reviewBody = reviewText.Text; string userId = FooSessionHelper.GetUserObjectFromCookie(HttpContext.Current).UserId; string merchId = Request.QueryString["id"]; if (string.IsNullOrEmpty(reviewBody)) { RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current); reviewErrorLabel.Text = "Incomplete input."; return; } if (!FooStringHelper.IsValidAlphanumeric(merchId, 16)) { RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current); reviewErrorLabel.Text = "Invalid input."; return; } try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "INSERT INTO reviews(reviewid, reviewtime, userid, merchid, reviewbody) VALUES (@REVIEWID, @REVIEWTIME, @USERID, @MERCHID, @REVIEWBODY)", CommandType = CommandType.Text, Connection = conn }; var idParam = new NpgsqlParameter { ParameterName = "@REVIEWID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RandomString(16) }; cmd.Parameters.Add(idParam); var timeParam = new NpgsqlParameter { ParameterName = "@REVIEWTIME", NpgsqlDbType = NpgsqlDbType.Timestamp, Size = 32, Direction = ParameterDirection.Input, Value = DateTime.Now }; cmd.Parameters.Add(timeParam); var userParam = new NpgsqlParameter { ParameterName = "@USERID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars(userId) }; cmd.Parameters.Add(userParam); var merchParam = new NpgsqlParameter { ParameterName = "@MERCHID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = merchId }; cmd.Parameters.Add(merchParam); var bodyParam = new NpgsqlParameter { ParameterName = "@REVIEWBODY", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 1024, Direction = ParameterDirection.Input, Value = reviewBody }; cmd.Parameters.Add(bodyParam); cmd.ExecuteNonQuery(); cmd.Dispose(); reviewErrorLabel.Text = ""; reviewText.Text = ""; } } else { errorLabel.Text = "Invalid request."; } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); reviewErrorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current); Load_Forms(merchId); }
protected void CategoryGrid_Update(object sender, GridViewUpdateEventArgs e) { int postId = Convert.ToInt32(postView.SelectedValue); var txtCatName = (TextBox)categoryGrid.Rows[e.RowIndex].FindControl("txtCatName"); if (!string.IsNullOrEmpty(txtCatName.Text)) { try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { // Define connection string. using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "UPDATE categories SET catname= @NAME WHERE catid= @CATID", CommandType = CommandType.Text, Connection = conn }; var nameParam = new NpgsqlParameter { ParameterName = "@NAME", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 32, Direction = ParameterDirection.Input, Value = txtCatName.Text }; cmd.Parameters.Add(nameParam); var idParam = new NpgsqlParameter { ParameterName = "@CATID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars( categoryGrid.DataKeys[e.RowIndex].Values[0].ToString()) }; cmd.Parameters.Add(idParam); cmd.ExecuteNonQuery(); } } else { errorLabel.Text = "Invalid request."; } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } } else { errorLabel.Text = "Incomplete or invalid input."; } Reset_Page(postId); }
protected void CategoryGrid_Delete(object sender, GridViewDeleteEventArgs e) { int postId = Convert.ToInt32(postView.SelectedValue); try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "DELETE FROM posts WHERE catid= @CATID", CommandType = CommandType.Text, Connection = conn }; var param = new NpgsqlParameter { ParameterName = "@CATID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars( categoryGrid.DataKeys[e.RowIndex].Values[0].ToString()) }; cmd.Parameters.Add(param); cmd.ExecuteNonQuery(); } // Define connection string. using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "DELETE FROM categories WHERE catid= @CATID", CommandType = CommandType.Text, Connection = conn }; var param = new NpgsqlParameter { ParameterName = "@CATID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars( categoryGrid.DataKeys[e.RowIndex].Values[0].ToString()) }; cmd.Parameters.Add(param); cmd.ExecuteNonQuery(); } } else { errorLabel.Text = "Invalid request."; } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } Reset_Page(postId); }
protected void UserView_ItemUpdating(object sender, DetailsViewUpdateEventArgs e) { UserObject userObj = FooSessionHelper.GetUserObjectFromCookie(HttpContext.Current); string userId = userObj.UserId; string userName = userObj.Username; if (!FooStringHelper.IsValidAlphanumeric(userId, 16)) { errorLabel.Text = "Invalid request."; Reset_Page(); return; } var txtUserAlias = (TextBox)userView.FindControl("txtUserAlias"); var txtUserEmail = (TextBox)userView.FindControl("txtUserEmail"); var txtUserAddress = (TextBox)userView.FindControl("txtUserAddress"); var txtUserCity = (TextBox)userView.FindControl("txtUserCity"); var txtUserCountry = (TextBox)userView.FindControl("txtUserCountry"); var txtUserBody = (TextBox)userView.FindControl("txtUserBody"); var imageUploadForm = (FileUpload)userView.FindControl("imageUploadForm"); if (!string.IsNullOrEmpty(txtUserAlias.Text) && !string.IsNullOrEmpty(txtUserEmail.Text) && !string.IsNullOrEmpty(txtUserAddress.Text) && !string.IsNullOrEmpty(txtUserCity.Text) && !string.IsNullOrEmpty(txtUserCountry.Text) && !string.IsNullOrEmpty(txtUserBody.Text) && !string.IsNullOrEmpty(txtUserEmail.Text) && FooStringHelper.IsValidEmailAddress(txtUserEmail.Text) && !FooEmailHelper.CheckIfEmailExists(txtUserEmail.Text, userName)) { try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "UPDATE users SET (useralias, email, address, city, country, profilebody) = (@USERALIAS, @EMAIL, @ADDRESS, @CITY, @COUNTRY, @PROFILEBODY) WHERE userid= @USERID", CommandType = CommandType.Text, Connection = conn }; var idParam = new NpgsqlParameter { ParameterName = "@USERID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars(userId) }; cmd.Parameters.Add(idParam); var aliasParam = new NpgsqlParameter { ParameterName = "@USERALIAS", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 32, Direction = ParameterDirection.Input, Value = txtUserAlias.Text }; cmd.Parameters.Add(aliasParam); var emailParam = new NpgsqlParameter { ParameterName = "@EMAIL", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 64, Direction = ParameterDirection.Input, Value = txtUserEmail.Text }; cmd.Parameters.Add(emailParam); var addressParam = new NpgsqlParameter { ParameterName = "@ADDRESS", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 128, Direction = ParameterDirection.Input, Value = txtUserAddress.Text }; cmd.Parameters.Add(addressParam); var cityParam = new NpgsqlParameter { ParameterName = "@CITY", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 32, Direction = ParameterDirection.Input, Value = txtUserCity.Text }; cmd.Parameters.Add(cityParam); var countryParam = new NpgsqlParameter { ParameterName = "@COUNTRY", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 32, Direction = ParameterDirection.Input, Value = txtUserCountry.Text }; cmd.Parameters.Add(countryParam); var bodyParam = new NpgsqlParameter { ParameterName = "@PROFILEBODY", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 1024, Direction = ParameterDirection.Input, Value = txtUserBody.Text }; cmd.Parameters.Add(bodyParam); cmd.ExecuteNonQuery(); cmd.Dispose(); } if (imageUploadForm.HasFile) { string path = HttpContext.Current.Server.MapPath("~/uploads"); if (!Directory.Exists(path)) { Directory.CreateDirectory(path); } HttpPostedFile file = HttpContext.Current.Request.Files[0]; if (file.ContentLength < 2097152) { string fileName; if (HttpContext.Current.Request.Browser.Browser.ToUpper() == "IE") { string[] files = file.FileName.Split(new[] { '\\' }); fileName = files[files.Length - 1]; } else { fileName = file.FileName; } fileName = FooStringHelper.RandomFileName(fileName); string filePath = Path.Combine(path, fileName); try { file.SaveAs(filePath); Insert_NewImage(fileName, userId); Reset_Page(); } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Upload failed."; } } else { errorLabel.Text = "Invalid file."; } } } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } } else { errorLabel.Text = "Incomplete or invalid input."; } Reset_Page(); }
protected void Insert_NewImage(string fileName, string userId) { try { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand( "SELECT profileimg FROM users WHERE userid= @USERID", conn); var idParam = new NpgsqlParameter { ParameterName = "@USERID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = userId }; cmd.Parameters.Add(idParam); NpgsqlDataReader dr = cmd.ExecuteReader(); string imageFile = string.Empty; while (dr.Read()) { imageFile = dr["profileimg"].ToString(); } dr.Close(); if (imageFile != string.Empty && imageFile != "profile_default.jpg") { string path = HttpContext.Current.Server.MapPath("~/uploads"); string currentFile = Path.Combine(path, imageFile); File.Delete(currentFile); } } using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand( "UPDATE users SET (profileimg) = (@PROFILEIMG) WHERE userid= @USERID", conn); var idParam = new NpgsqlParameter { ParameterName = "@USERID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars(userId) }; cmd.Parameters.Add(idParam); var imgParam = new NpgsqlParameter { ParameterName = "@PROFILEIMG", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 64, Direction = ParameterDirection.Input, Value = fileName }; cmd.Parameters.Add(imgParam); cmd.ExecuteNonQuery(); } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } }
protected void MerchView_Databound(object sender, EventArgs e) { if (merchView.CurrentMode == DetailsViewMode.ReadOnly && merchView.Rows.Count > 1) { var merchEnabledLabel = (Label)merchView.FindControl("merchEnabledLabel"); using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand( "SELECT merchenabled FROM merchandise WHERE merchid= @MERCHID", conn); var idParam = new NpgsqlParameter { ParameterName = "@MERCHID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars(merchView.SelectedValue.ToString()) }; cmd.Parameters.Add(idParam); bool postEnabled = Convert.ToBoolean(cmd.ExecuteScalar()); merchEnabledLabel.Text = postEnabled ? "Yes" : "No"; } } else { var merchEnabledCheckbox = (CheckBox)merchView.FindControl("merchEnabledCheckbox"); try { if (merchView.CurrentMode == DetailsViewMode.Edit) { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand( "SELECT merchenabled FROM merchandise WHERE merchid= @MERCHID", conn); var idParam = new NpgsqlParameter { ParameterName = "@MERCHID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars(merchView.SelectedValue.ToString()) }; cmd.Parameters.Add(idParam); NpgsqlDataReader dr = cmd.ExecuteReader(); while (dr.Read()) { merchEnabledCheckbox.Checked = Convert.ToBoolean(dr["merchenabled"]); } dr.Close(); } } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); string merchId = merchView.SelectedValue.ToString(); if (!FooStringHelper.IsValidAlphanumeric(merchId, 16)) { errorLabel.Text = "Invalid request."; Reset_Page(string.Empty); return; } Reset_Page(merchId); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } } }
protected void submitButton_Click(object sender, EventArgs e) { string commentBody = commentText.Text; string userId = FooSessionHelper.GetUserObjectFromCookie(HttpContext.Current).UserId; string postId = Request.QueryString["id"]; if (!string.IsNullOrEmpty(commentBody)) { try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "INSERT INTO comments(commentid, commenttime, userid, postid, commentbody) VALUES (@COMMENTID, @COMMENTTIME, @USERID, @POSTID, @COMMENTBODY)", CommandType = CommandType.Text, Connection = conn }; var idParam = new NpgsqlParameter { ParameterName = "@COMMENTID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RandomString(16) }; cmd.Parameters.Add(idParam); var timeParam = new NpgsqlParameter { ParameterName = "@COMMENTTIME", NpgsqlDbType = NpgsqlDbType.Timestamp, Size = 32, Direction = ParameterDirection.Input, Value = DateTime.Now }; cmd.Parameters.Add(timeParam); var userParam = new NpgsqlParameter { ParameterName = "@USERID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars(userId) }; cmd.Parameters.Add(userParam); var postParam = new NpgsqlParameter { ParameterName = "@POSTID", NpgsqlDbType = NpgsqlDbType.Integer, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars(postId) }; cmd.Parameters.Add(postParam); var bodyParam = new NpgsqlParameter { ParameterName = "@COMMENTBODY", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 1024, Direction = ParameterDirection.Input, Value = commentBody }; cmd.Parameters.Add(bodyParam); cmd.ExecuteNonQuery(); cmd.Dispose(); commentText.Text = ""; commentErrorLabel.Text = ""; } } else { errorLabel.Text = "Invalid request."; } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); commentErrorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } Load_Forms(); } else { commentErrorLabel.Text = "Incomplete input."; } RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current); }