AACS4134 Internet Programming

Chapter 4

Answer for Tutorial 4A 1. Discuss the benefits of using the data-driven web page in the ASP.NET web application.

Advantages Maintenance: Using a database makes it a lot easier to maintain your data and keep it up to date. Take the example of a bank application that contains lists of customers by name and by branch, and contains profiles for each customer. Each time the customer is mentioned in a list, the customers account number is also present. If that account number changed, the application would need to change it accordingly on all the lists, which could lead to errors; after all, account numbers arent the easiest things to remember. A well-designed database usually ensures that easily mistyped data such as Social Security numbers (SSNs), credit card numbers, International Standard Book Numbers (ISBNs), and so on is entered or modified in only one place, rather than several. The data-driven Web site would then generate the lists by querying the database. Another reason that data-driven Web sites are easier to maintain is that they typically have fewer actual pages than static Web sites. The pages they do have acted as templates that are filled on-the-fly from a database, as opposed to the complete, individual pages that static Web sites contain. Reusability: Information in databases can easily be backed up and reused elsewhere as required. Compare this to static Web sites, where the information cant be retrieved easily from the surrounding HTML and layout instructions. Code reuse.

Data context: Databases allow you to define relationships and rules for the data in your database. For example, you can create a rule in your database that says if you store some information about a book, you must include an author and an ISBN, which must, in turn, be valid. This means that rather than querying the database for information by a simple index, such as the one in the
Chapter 4: Database Programming

AACS4134 Internet Programming

Chapter 4

back of this book, you can specify what to search for, as well as the order in which the information should be returned. A great example of this is the search engine. Can you imagine Google as a table of contents for the Web? Quality and timeliness of content: Databases are optimized for the storage and retrieval of data and nothing else. They allow you to use and update information on Web site almost in real timesomething that isnt possible with a Web site consisting of just static pages containing forms. For example, consider what happens when an e-commerce Web site receives an order for some goods. The code running behind the page knows to store the new order in a database and to reduce the inventory count for each item in the order once payment has been received. If the customer wants to change the order, its still available in the database to be changed. The inventory also can be changed, depending on what the customer does. For instance, if the customer cancels the order, the system can simply reinstate inventory levels and mark the order as canceled. Now consider what happens if the e-commerce Web site has a human on the other side instead of a database and the customer wants to change the order. The human needs to find the order check the stock, and so on. This process wouldnt be immediate, and it would be prone to errors. What if the order were lost or incorrectly recorded? Disadvantages Development time: It takes a little more time to write code to access the database containing information and to populate the database with the information you require. Likewise, it may take a little more planning initially to accommodate a database in the architecture of a Web site. Sometimes, the data may not lend itself to being used as a data source, which means more development is required to change it into an appropriate form. And actually designing the database is a valuable skill in its own right, which can take a considerable amount of time to develop. Database round-trip:

Chapter 4: Database Programming

AACS4134 Internet Programming

Chapter 4

When a user requests a static page from a Web server, that Web server immediately sends the page back to the client. When a user requests a dynamic page that requires data from a database, the Web server must first make a request to (or query) the database for the necessary data and then wait for it to arrive before it can assemble and send the page the user requested. This extra round-trip means a slight reduction in performance levels from the Web server. This delay might be unnoticeable on small Web sites, but may become more obvious on enterprise Web sites where thousands of pages might be requested per minute. Dependence on the database: Using a database in a Web site means that should the database fail for some reason, the whole Web site will fail. Number of users that can access the database server might be limited by the capability of the concurrency control of the database server. The programming code might vary across different data-driven web pages, if a web application need to access more than 1 type of data resources Cost: Development cost: Obviously the development cost for static web page is much cheaper than the data-driven page. Full enterprise-level database solutions dont come cheap. At the top end of the market, Oracle Enterprise Edition around RM 40,000 and SQL Server Enterprise Edition around RM20, 000 for installation on one computer. Maintenance cost: Hire a database administrator to maintain the database. Renew license fees.

Chapter 4: Database Programming

AACS4134 Internet Programming

Chapter 4

2.

Based on the requirements given below, identify the data objects that are needed by each requirement. Explain also why you should include those data objects. (a) The data-driven web page is only use to test the connection between the database server and web page. Explanation We need to use connection object to establish the link to the database server. The Exception object is used to handle the error that might occur during the connection.

Data object Connection Exception

a. The YAHOO! Search engine web page. Data object Explanation connectio The page will pass a value to the SQL n select statement, and then the server will return the search result. command Connection is use to establish the Paramete connection. r Parameter object is used to receive the DataRead value from the textbox and then pass it into er the SQL SELCT statement. Command object is used to pass the SQL SELECT statement to the database server, and then retrieve the match records. DataReader is use to receive the match record that return from the database server, and then display it on the web page. b. The HOTMAIL login web page. Data object Explanation connectio The page will pass a value to the SQL n select statement, and then the server will return the match user ID and password command Connection is use to establish the Paramete connection. r Parameter object is used to receive the DataRead user ID and password from the textboxes er and then pass it into the SQL SELCT statement. Command object is used to pass the SQL SELECT statement to the database server, and then retrieve the match records.
Chapter 4: Database Programming

AACS4134 Internet Programming

Chapter 4

DataReader is use to receive the match record that return from the database server, and then compare with the input values.

c. A data-driven web page that allow you to add a new product's detail. Data object Explanation connect The page will pass a value to the SQL ion INSERT statement, and then the server will only return the number of record that have comma been added into database. nd Connection is use to establish the Parame connection. ter Parameter object is used to receive the value from the textbox and then pass it into the SQL INSERT statement. Command object is used to pass the SQL INSERT statement to the database server and then compile .

d. Your FRIENDSTER's page that allows you to edit personal detail. Data object Explanation connecti The page will pass a value to the SQL on Update statement, and then the server will only return the number of record that have comman been edited by the UPDATE command. d Connection is use to establish the Paramet connection. er Parameter object is used to receive the value from the textbox and then pass it into the SQL UPDATE statement. Command object is used to pass the SQL UPDATE statement to the database server and then compile it.

3. (a)

Search the information regarding SQL INJECTION and then answer the following questions What is SQL Injection?

Chapter 4: Database Programming

AACS4134 Internet Programming

Chapter 4

The basic idea behind SQL injection is that an attacker manipulates data passed into a web application to modify the query that is run in the backend database. (b) To prevent SQL Injection, using parameter object is better than the string concatenation method. Justify the statement above. Using parameters allows you to pass external values to your queries and also avoids the risk of SQL injection attack. Parameters are also better in terms of performance because they avoid frequent parsing of queries. A parameterized query is simply a command that uses placeholders in the SQL text. The placeholders indicate dynamically supplied values, which are then sent through the Parameters collection of the Command object. The placeholder are then added separately and automatically encoded. 4. Under what condition you will use the ExecuteReader( ), ExecuteScalar( ) and ExecuteNonQuery( ) methods. Commands method ExecuteReader( ) Condition If the SQL SELECT statement will return: - More than 1 record and data field. - More than 1 record. - More than 1 data field. Must use together with DataReader object. ExecuteScalar( ) If the SQL SELECT statement will return: - only 1 record and 1 data field. DataReader is not required. We use a string variable or server control to receive the returned data. #Note: Although the query return only 1 data field and 1 record, we still can use the ExecuteReader() method together with DataReader to store the record. ExecuteNonQuery( ) Use to compile SQL Action Query: - INSERT - UPDATE - DELETE No record will be return by this action query, so
Chapter 4: Database Programming

AACS4134 Internet Programming

Chapter 4

DataReader is not needed. But we can use an integer variable to accept the number of records that affected by the action query. 5. (a) However, later you decided to move the database connection to the web.config file. Demonstrate how the connection can be established in the web configuration file. <add name="ConnectString" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=| DataDirectory|EziPrint.mdf;Integrated Security=True;User Instance=True"/> (b) Based on the answer given in Q5(a), demonstrate how to create the database connection in a C# code to link to the EziPrint database file. SqlConnection conEziPrint; string connStr = ConfigurationManager.ConnectionStrings["ConnectStri ng"].ConnectionString; conEziPrint = new SqlConnection(connStr); (c) (d) Explain why is it better to store the database connection string in the web.config file. you can easily change the server name, database, or authentication information without editing individual Web pages. Additionally, you can secure the connection string using encryption. Demonstrate how to declare and initialize a Command object that returns all the information from the PriceInfo Table. You are required to explicitly write the appropriate SQL query. cmdSelectPrice = new SqlCommand("Select * From InfoPrice", conEziPrint); (e) You wish to update the Develop_charge for Quantity below 100 to RM7.00. Demonstrate how to declare and initialize a Command object that will update the information in the PriceInfo Table. You are required to write the appropriate SQL query.

Chapter 4: Database Programming

AACS4134 Internet Programming

Chapter 4

cmdUpdatePrice = new SqlCommand("Update PriceInfo set Develop_charge = 7.00 Where Quantity > 100 ", conEziPrint);

6. (a)
protected void btnSearch_Click(object sender, EventArgs e) { SqlConnection conPatient; SqlCommand cmdpatient; SqlDataReader dtrpatient; string connStr = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString; conPatient = new SqlConnection(connStr); conPatient.Open(); where string strsql = "Select PatientName, PatientIC from PatientInfo PatientID=@PID"; cmdpatient = new SqlCommand(strsql, conPatient); cmdpatient.Parameters.AddWithValue("@PID", txtPatientID.Text); dtrpatient = cmdpatient.ExecuteReader(); if (dtrpatient.Read()) { txtPatientName.Text = Convert.ToString(dtrpatient["PatientName"]); txtPatientIC.Text = Convert.ToString(dtrpatient["PatientIC"]); } else lblMessage.Text = "Record not found"; conPatient.Close(); dtrpatient.Close();

b)

When should we use parameterized queries in the C#.NET code? Give an explanation for your suggestion with a suitable example. When we do not assign the search criteria during the design time, then we must use the parameterized queries.

Chapter 4: Database Programming

AACS4134 Internet Programming

Chapter 4

Example: select PatientIC from PatientInfo where PatientID=@patient

Chapter 4: Database Programming