passing values through url

  • Thread starter Thread starter gerryR
  • Start date Start date
G

gerryR

Hi All

i have a simple aspx page (vb) that pulls info out of an excel sheet. I'm
trying to pass a condition through a link to narrow down the results.
Basically we have 4 areas and rether than have 4 seperate pages I'd like to
have 4 links instead.

At the min my link is

contacts.aspx?area=north

But my problem is ho do I get that area into my sql statement.

I've tried creating a function in my code behind to return the area

Function passCondition()
Dim link As String
link = Request.QueryString("area")
Return link
End Function

An then pass that function into my sql command in the asp page

SelectCommand="SELECT * FROM [range] Where Province=passCondition()">

But all to no avail, I've tried multiple variations of that and several
alternatives but nothing.

As you can prob tell I'm failry new to all this so really appreciate a point
in the right direction.

Many thanks
gR
 
gerryR said:
i have a simple aspx page (vb) that pulls info out of an excel sheet. I'm
trying to pass a condition through a link to narrow down the results.
Basically we have 4 areas and rether than have 4 seperate pages I'd like
to have 4 links instead.

At the min my link is

contacts.aspx?area=north

But my problem is ho do I get that area into my sql statement.

I've tried creating a function in my code behind to return the area

Function passCondition()
Dim link As String
link = Request.QueryString("area")
Return link
End Function

And then pass that function into my sql command in the asp page

SelectCommand="SELECT * FROM [range] Where Province=passCondition()">

But all to no avail, I've tried multiple variations of that and several
alternatives but nothing.
Click to expand...

If you look at your SelectCommand in the debugger you'll see that the text
is exactly as you show it above, with passCondition() as literal text. You
need to concatenate your condition, and include the text delimiters:
SelectCommand="SELECT * FROM [range] Where Province='" + passCondition() +
"'"

You should also lookup command parameters, because concatenating free text
into a sql statement opens your application to serious sql injection
security vulnerabilities.
 
gerryR said:
Hi All

i have a simple aspx page (vb) that pulls info out of an excel sheet. I'm
trying to pass a condition through a link to narrow down the results.
Basically we have 4 areas and rether than have 4 seperate pages I'd like to
have 4 links instead.

At the min my link is

contacts.aspx?area=north

But my problem is ho do I get that area into my sql statement.

I've tried creating a function in my code behind to return the area

Function passCondition()
Dim link As String
link = Request.QueryString("area")
Return link
End Function

An then pass that function into my sql command in the asp page

SelectCommand="SELECT * FROM [range] Where Province=passCondition()">

But all to no avail, I've tried multiple variations of that and several
alternatives but nothing.

As you can prob tell I'm failry new to all this so really appreciate a point
in the right direction.

Many thanks
gR
Click to expand...

Why don't you do this?

private dim link as string at the top of the class.

In the page_load method, you do the Querystring to set "link" to the
queried value.

Then just use the "link" variable which can be seen by all methods of
the class.
 
Thanks all, ended up adding a querystring to the sql command

Thanks again for the help
gR
 
Paul Shapiro said:
gerryR said:
i have a simple aspx page (vb) that pulls info out of an excel sheet.
I'm trying to pass a condition through a link to narrow down the results.
Basically we have 4 areas and rether than have 4 seperate pages I'd like
to have 4 links instead.

At the min my link is

contacts.aspx?area=north

But my problem is ho do I get that area into my sql statement.

I've tried creating a function in my code behind to return the area

Function passCondition()
Dim link As String
link = Request.QueryString("area")
Return link
End Function

And then pass that function into my sql command in the asp page

SelectCommand="SELECT * FROM [range] Where Province=passCondition()">

But all to no avail, I've tried multiple variations of that and several
alternatives but nothing.
Click to expand...

If you look at your SelectCommand in the debugger you'll see that the text
is exactly as you show it above, with passCondition() as literal text. You
need to concatenate your condition, and include the text delimiters:
SelectCommand="SELECT * FROM [range] Where Province='" + passCondition() +
"'"

You should also lookup command parameters, because concatenating free text
into a sql statement opens your application to serious sql injection
security vulnerabilities.
Click to expand...

Hi Paul

just on your point about sql injection security issue, are the chances of
this also increased when using text in your SQL statements or is this
particular issue only related when concatenating?

I ask as they are now looking for 4 seperate pages so if plain text isn't a
problem I'll just use

SELECT * FROM [range] Where Province="north"
SELECT * FROM [range] Where Province="south"
etc

Or am I still better to use parameters

SELECT * FROM [range] Where Province=@province

Many thanks
gR
 
Or am I still better to use parameters

SELECT * FROM [range] Where Province=@province
Click to expand...
Always use parameters or linq - which uses parameters in the sql it
generates.
 
Back
Top