Im building an ASP.Net payment application to demonstrate application security but have hit an obstacle already!
I have created users (locally) and have bank accounts in a web service to simulate the bank as an external entity. Before the users payment is approved I want to check their account (on the web service) for sufficient funds before proceeding. The users Card number is pulled from a db and passed over (with the payment amount) to the bank (web service) and there another query takes place i.e. "gets AccountBalance from BankAccTable where CardNumber = cn"...
Im building this application in VS2010, and in the Query Builder this returns the correct result. However, I have only ever done something similar where I displayed the result in a Gridview, which works also... but now I need to do this programmatically, receiving the result in the web service so I can do the check and return an "insufficient funds" msg, or proceed to deduct the PaymentAmount and update the db record... (The amount will then be passed to another WS simulating the merchants bank account, to be update.. but thats later, one step at a time!).
I think I need to hold the result somewhere i.e. DataSet / DataTable, do what I need to do and then re-insert the updated Row, but everything Ive been trying isn't working! I keep getting the "TableName" not the query result!
PAYMENT.ASPX.CS
Code: Select all
protected void ButtonPayNow_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["UserConnectionString"].ConnectionString);
con.Open();
string cmdStr = "SELECT PaymentPIN FROM UserTable WHERE EmailAddress= '" + TextBoxPayEmail.Text + "'";
SqlCommand accVerify = new SqlCommand(cmdStr, con);
string payPIN = Convert.ToString(accVerify.ExecuteScalar());
if (TextBoxPIN.Text == payPIN)
{
// TextBoxPayEmail.Text = "Success..!";
// Retrieve users bank info.
SqlConnection con2 = new SqlConnection(ConfigurationManager.ConnectionStrings["UserBankDatabaseConnectionString"].ConnectionString);
con2.Open();
string cmdStr2 = "SELECT CardNumber FROM UserBankTable WHERE EmailAddress= '" + TextBoxPayEmail.Text +"'";
SqlCommand CardNum = new SqlCommand(cmdStr2, con2);
string cardNum = Convert.ToString(CardNum.ExecuteScalar());
// Check bank for funds.
BankHost.Service BankWS = new BankHost.Service();
double payAmount = double.Parse(TextBoxPayAmount.Text);
string balance = Convert.ToString(BankWS.checkAccBalance(cardNum, payAmount));
}
else
{
TextBoxPayEmail.Text = "Didnt work..!";
}
Code: Select all
[WebMethod] // Check for funds
public DataSet1.BankAccTableDataTable checkAccBalance(string cn, double paySum)
{
DataSet1TableAdapters.BankAccTableTableAdapter ta = new DataSet1TableAdapters.BankAccTableTableAdapter();
return ta.GetBalanceData(cn);
}
This is my attempt at getting the "AccountBalance" but it didnt work, returns the same result "TableName" (BankAccTable).
BANK WEBSERVICE.CS
Code: Select all
[WebMethod] // Check for funds
public string checkAccBalance(string cn, double pa)
{
DataSet1TableAdapters.BankAccTableTableAdapter ta = new DataSet1TableAdapters.BankAccTableTableAdapter();
string bal = ta.GetBalanceData(cn).ToString();
return bal;
}
Any help will be much appreciated.. Than you!