using System;
using System.Data;
using System.Data.SqlClient;

namespace CMSApp
{
    public partial class SecurityExample : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            SetupControls();
        }


        /// <summary>
        /// Setup controls - label and button texts.
        /// 
        /// There is one vulnerability in this method.
        /// Imagine that one of the label texts can be set through query string.
        /// Find and fix the vulnerability.
        /// </summary>
        private void SetupControls()
        {
            string firstnametext = Request.QueryString["firstname"];

            lblFirstName.Text = String.IsNullOrEmpty(firstnametext) ? "First name: " : firstnametext;
            lblLastName.Text = "Last name: ";
            lblEmail.Text = "E-mail: ";
            lblAge.Text = "Age: ";
            btnSubmit.Text = "Subscribe";
            btnMySubscription.Text = "Display my subscription";
        }


        /// <summary>
        /// Submit button handler.
        /// 
        /// Imagine that user can subscribe to the newsletter.
        /// There are 2 tasks you have to do:
        /// 1) Complete server validation (ValidateInputs method).
        /// 2) Fix one vulnerability.
        /// </summary>
        protected void btnSubmit_Click(object sender, EventArgs e)
        {
            // Server validation
            ValidateInputs();

            // Redirect user after submitting the form
            string redirecturl = Request.QueryString["url"];
            if (String.IsNullOrEmpty(redirecturl))
            {
                redirecturl = "~/MySubscription";
            }

            Response.Redirect(Server.UrlDecode(redirecturl));
        }


        /// <summary>
        /// Submit button handler.
        /// 
        /// Imagine that user can display newsletters he is subscribed to.
        /// Find and fix one vulnerability in this method.
        /// </summary>
        protected void btnMySubscription_Click(object sender, EventArgs e)
        {
            SqlConnection conn = new SqlConnection("Your Connection String");
            SqlCommand cmd = new SqlCommand();

            // Prepare query
            cmd.CommandText = "SELECT * FROM Subscriptions WHERE UserName = '" + hdnuserName.Value + "'";
            cmd.CommandType = CommandType.Text;
            cmd.Connection = conn;
            conn.Open();

            // Read data
            SqlDataReader reader = cmd.ExecuteReader();
            while (reader.Read())
            {
                lblMySubscription.Text += (string) reader["SubscriptionName"];
            }
        }


        /// <summary>
        /// Submit button handler.
        /// 
        /// Complete this method.
        /// </summary>
        private void ValidateInputs()
        {
            throw new NotImplementedException();
        }
    }
}