C# Skipping parts of code

I got stucked - the first part of the code "// OPEN PRELOADING PAGE" will for some reason not execute and will be skipped. If I comment the rest of the code and only keep this part there, it works. What is wrong?

protected void Create_Order_Click(object sender, EventArgs e)
{

  // OPEN PRELOADING PAGE
  Response.Write("<script>");
  Response.Write("window.open('smth.aspx','_blank')");
  Response.Write("</script>");

  // DEFINE CONNECTION
  SqlConnection conn = new SqlConnection(ConfigurationManager
             .ConnectionStrings["SqlConnectionString"].ConnectionString);

  // OPEN CONNECTION
  conn.Open();

  // DEFINE FIRST SQL QUERY
  string insertOrder = "INSERT INTO Order_Connection (FK_User_ID) VALUES ('" + Session["User_ID"] + "')";

  string str = FileUpload1.FileName;
  FileUpload1.PostedFile.SaveAs(Server.MapPath(".") + "//upload//" + str);
  string path = "//xxx.cz/intranet/pages/upload/" + str.ToString();

  string insertOrder_Content = "INSERT INTO Order_Content (Uploaded_Photo, Issue_Description, Place_Of_Repair, Transfer_Method, Date_To_Bring, Date_To_Take) VALUES ('" + path + "', @Issue_Description, @Place_Of_Repair, @Transfer_Method, @Date_To_Bring, @Date_To_Take)";
  SqlCommand comInsertIntoOrder = new SqlCommand(insertOrder_Content, conn);

  comInsertIntoOrder.Parameters.AddWithValue("@Issue_Description", TextBox_Issue_Description.Text);
  comInsertIntoOrder.Parameters.AddWithValue("@Place_Of_Repair", DropDownList_Place.SelectedItem.ToString());
  comInsertIntoOrder.Parameters.AddWithValue("@Transfer_Method", DropDownList_Transfer.SelectedItem.ToString());
  comInsertIntoOrder.Parameters.AddWithValue("@Date_To_Bring", TextBox_Date_To_Bring.Text);
  comInsertIntoOrder.Parameters.AddWithValue("@Date_To_Take", TextBox_Date_To_Take.Text);

  comInsertIntoOrder.ExecuteNonQuery();

  // EXECUTE FIRST SQL QUERY
  SqlCommand com = new SqlCommand(insertOrder, conn);

  // EXECUTE NOW
  com.ExecuteNonQuery();

  // CLOSE CONNECTION
  conn.Close();

  Response.Redirect("http://xxx.cz/intranet/pages/Success.aspx");
}
Jon Skeet
people
quotationmark

You're calling Response.Redirect at the end of the method. That's going to basically terminate the request with a 302 response. The data you'd previously written to the (buffered) response is irrelevant at that point.

Additionally, you should look into parameterized SQL - your database handling is currently vulnerable to SQL injection attacks. (Always, always, always parameterize your SQL, basically.)

people

See more on this question at Stackoverflow