/
ProductDetails.aspx.cs
107 lines (90 loc) · 3.89 KB
/
ProductDetails.aspx.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;
namespace OWASP.WebGoat.NET.WebGoatCoins
{
public partial class ProductDetails : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
lblMessage.Visible = false;
txtEmail.Enabled = true;
if (!Page.IsPostBack)
LoadComments();
//TODO: broken
if (!Page.IsPostBack)
{
DatabaseUtilities du = new DatabaseUtilities(Server);
DataSet ds = du.GetCatalogData();
ddlItems.DataSource = ds.Tables[0];
ddlItems.DataTextField = "productName";
ddlItems.DataValueField = "productCode";
ddlItems.DataBind();
}
}
protected void btnSave_Click(object sender, EventArgs e)
{
try
{
DatabaseUtilities du = new DatabaseUtilities(Server);
string error_message = du.AddComment(hiddenFieldProductID.Value, txtEmail.Text, txtComment.Text);
txtComment.Text = error_message;
lblMessage.Visible = true;
LoadComments();
}
catch(Exception ex)
{
lblMessage.Text = ex.Message;
lblMessage.Visible = true;
}
}
void LoadComments()
{
DatabaseUtilities du = new DatabaseUtilities(Server);
string id = Request["productNumber"];
if (id == null) id = "S18_2795"; //this month's special
DataSet ds = du.GetProductDetails(id);
string output = string.Empty;
string comments = string.Empty;
foreach (DataRow prodRow in ds.Tables["products"].Rows)
{
output += "<div class='product2' align='center'>";
output += "<img src='./images/products/" + prodRow["productImage"] + "'/><br/>";
output += "<strong>" + prodRow["productName"].ToString() + "</strong><br/>";
output += "<hr/>" + prodRow["productDescription"].ToString() + "<br/>";
output += "</div>";
hiddenFieldProductID.Value = prodRow["productCode"].ToString();
DataRow[] childrows = prodRow.GetChildRows("prod_comments");
if (childrows.Length > 0)
comments += "<h2 class='title-regular-2'>Comments:</h2>";
foreach (DataRow commentRow in childrows)
{
comments += "<strong>Email:</strong>" + commentRow["email"] + "<span style='font-size: x-small;color: #E47911;'> (Email Address Verified!) </span><br/>";
comments += "<strong>Comment:</strong><br/>" + commentRow["comment"] + "<br/><hr/>";
}
}
lblOutput.Text = output;
lblComments.Text = comments;
//Fill in the email address of authenticated users
if (Request.Cookies["customerNumber"] != null)
{
string customerNumber = Request.Cookies["customerNumber"].Value;
string email = du.GetCustomerEmail(customerNumber);
txtEmail.Text = email;
txtEmail.ReadOnly = true;
}
}
protected void ddlItems_SelectedIndexChanged(object sender, EventArgs e)
{
Response.Redirect("ProductDetails.aspx?productNumber=" + ddlItems.SelectedItem.Value);
}
protected void Button1_Click(object sender, EventArgs e)
{
Response.Redirect("ProductDetails.aspx?productNumber=" + ddlItems.SelectedItem.Value);
}
}
}