How to use User.Identity.Name as a parameter for SqlDataSource in ASP.NET?

Asked 5/10, 2010 at 12:57 Answered 10/9, 2015 at 22:43

c#asp.net parameter-passing sqldatasource

For SqlDataSource I can configure the external source for the incoming paramater. For example it might be a QueryString, Session, Profile and so on. However I do not have an option to use User as a source.

I know that I could provide value for the parameter in Inserting,Selecting,Updating,Deleting events. But I do not think that this is an ellegant solution because I have some parameteres already definied in aspx file. I do not want to have parameters defined in two separate places. It makes mess.

So can I somehow define this parameter in .aspx file?

    <SelectParameters>
        <asp:QueryStringParameter DefaultValue="-1" Name="ID" 
            QueryStringField="ID" />
        //User.Identity.Name goes here as a value for another parameter  
    </SelectParameters>

Thermochemistry answered 5/10, 2010 at 12:57 Comment(0)

Declare it in your .aspx and fill it in your codebehind:

aspx

<asp:Parameter Name="username" Type="String" DefaultValue="Anonymous" />

codebehind

protected void Page_Init(object sender, EventArgs e) {
    DataSource.SelectParameters["username"].DefaultValue = User.Identity.Name;
}

Miff answered 5/10, 2010 at 13:6 Comment(5)

Thanks Jan, but this is what I would like to avoid. In yuour example I need to fill value of parameter in codebehind. So I have to handle parameters in two separate places: in aspx file and in cs file. Can't I declare the parameter in aspx and bind value for it in aspx too? – Thermochemistry 6/10, 2010 at 6:30

You can give it a shot by using <asp:Parameter Name="username" Type="String" DefaultValue="<%#User.Identity.Name%>" /> – Miff 6/10, 2010 at 6:51

<%#User.Identity.Name%> unfortunately that doesn't work since Parameter doesn't support DataBinding... – Thermochemistry 8/10, 2010 at 8:36

Thanks Jan, succeeded in codebehind. It is not necessary to declare a Default Value in .aspx file. Can only add to the codefehind file. protected void Page_Init(object sender, EventArgs e) { SqlDataSource1.InsertParameters["UserName"].DefaultValue = User.Identity.Name; } – Mechanician 17/2, 2012 at 17:49

fyi. If you have asp:Button's that postBack to functions that perform db ops or in any way use the datasource... You need to have this same code at the top of that button callback too. (aka prior to databinding or pre-databind()) This is why I hate aspx forms. Ridiculous, tedious, over the top, undocumented, frustratingly difficult to figure out and deal with, and completely retarded. My advice: switch to razor, asap. – Kierkegaard 20/9, 2017 at 20:2

You can also accomplish this by creating a hidden textbox on the page, apply the User.Identity.Name to the value and then use the formcontrol parameter in the SQL data source. The advantage here is that you can reuse the code in the select, insert, delete, and update parameters without extra code.

So in aspx we have (noneDisplay is a css class to hide it):

<asp:TextBox runat="server" ID="txtWebAuthUser" CssClass="noneDisplay"></asp:TextBox>

and in the Update parameter of the sql datasource update section:

<asp:ControlParameter Name="CUrrentUser"  ControlID="txtWebAuthUser" Type="String" PropertyName="Text" />

which gets interpreted in the update something like this:

UpdateCommand="UPDATE [Checks] SET [ScholarshipName] = @ScholarshipName, [Amount] = @Amount,LastModifiedBy=@CUrrentUser,
         [LastModified] = getdate() WHERE [CheckId] = @CheckId"

and then in the .cs file form load we have:

this.txtWebAuthUser.Text = User.Identity.Name;

This technique has worked well in many places in all of our applications.

Fusco answered 10/9, 2015 at 22:43 Comment(2)

Does this not leave a gaping security hole, where you can impersonate other users by changing the variable in the hidden text box? – Miff 21/9, 2017 at 7:56

Set it on page load, so any change by the user will not be seen. – Fusco 21/9, 2017 at 18:24

in asp page put a blank datasource with a connectionstring

e.g.

<asp:SqlDataSource ID="SqlDataSourceDeviceID" runat="server" ConnectionString="<%$ ConnectionStrings:myConnectionString %>">
<asp:DropDownList ID="DropDownListDeviceID" runat="server" DataSourceID="SqlDataSourceDeviceID" DataTextField="DevLoc" DataValueField="DeviceId"></asp:DropDownList>

in code behind on pageload

  protected void Page_Load(object sender, EventArgs e)
    {
if (!IsPostBack) {
   String myQuery =String.Format("SELECT DeviceID,DevLoc  FROM  ... where UserName='{0}')",User.Identity.Name);
   SqlDataSourceDeviceID.SelectCommand = myQuery;
   SqlDataSourceDeviceID.DataBind();
   DropDownListDeviceID.DataBind();
}

Crosspollinate answered 31/8, 2014 at 21:25 Comment(0)

Recommended topics

Hot tags