Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > Passing percent sign in querystring

Reply
Thread Tools

Passing percent sign in querystring

 
 
Joey Martin
Guest
Posts: n/a
 
      04-22-2005
I am passing a sql string thru my querystring for the next page to
capture.
example: www.xxxxxxxx.com/index.asp?str=select * from table where name
like '%doe%'

Passing a basic string works fine. But, when I use the LIKE statement it
does not work. I know it's because of the % sign, so how do I translate
this thru, so that the following page picks up the percent sign?

*** Sent via Developersdex http://www.developersdex.com ***
 
Reply With Quote
 
 
 
 
McKirahan
Guest
Posts: n/a
 
      04-22-2005
"Joey Martin" <(E-Mail Removed)> wrote in message
news:OJgK$(E-Mail Removed)...
> I am passing a sql string thru my querystring for the next page to
> capture.
> example: www.xxxxxxxx.com/index.asp?str=select * from table where name
> like '%doe%'
>
> Passing a basic string works fine. But, when I use the LIKE statement it
> does not work. I know it's because of the % sign, so how do I translate
> this thru, so that the following page picks up the percent sign?
>


A JavaScript solution:

var url = "www.xxxxxxxx.com/index.asp?str=";
var sql = "SELECT * FROM table WHERE name LIKE '%doe%'";
window.open(url + escape(sql),"","");


 
Reply With Quote
 
 
 
 
Kyle Peterson
Guest
Posts: n/a
 
      04-22-2005
well, hopefully your only doing this in a secure area of the site that only
admins use

regardless you want to Server.URLEncode that string before you send it to
the next page

Server.URLEncode(YourSQLString)

it will encode certaint characters so they make it over ok...
you dont have to worry about decoding it as the request object takes care of
that


"Joey Martin" <(E-Mail Removed)> wrote in message
news:OJgK$(E-Mail Removed)...
>I am passing a sql string thru my querystring for the next page to
> capture.
> example: www.xxxxxxxx.com/index.asp?str=select * from table where name
> like '%doe%'
>
> Passing a basic string works fine. But, when I use the LIKE statement it
> does not work. I know it's because of the % sign, so how do I translate
> this thru, so that the following page picks up the percent sign?
>
> *** Sent via Developersdex http://www.developersdex.com ***



 
Reply With Quote
 
ASPfool
Guest
Posts: n/a
 
      04-22-2005
Hey Joey,

i think writing the whole sql statement in the querysting is a bad idea -
you are open to sql injection attacks and the like. All your user has to do
is substitute delete for select, and hey presto, your table is empty (unless
you've denied delete rights on your db user account)....

regards,
Jon.

"Kyle Peterson" wrote:

> well, hopefully your only doing this in a secure area of the site that only
> admins use
>
> regardless you want to Server.URLEncode that string before you send it to
> the next page
>
> Server.URLEncode(YourSQLString)
>
> it will encode certaint characters so they make it over ok...
> you dont have to worry about decoding it as the request object takes care of
> that
>
>
> "Joey Martin" <(E-Mail Removed)> wrote in message
> news:OJgK$(E-Mail Removed)...
> >I am passing a sql string thru my querystring for the next page to
> > capture.
> > example: www.xxxxxxxx.com/index.asp?str=select * from table where name
> > like '%doe%'
> >
> > Passing a basic string works fine. But, when I use the LIKE statement it
> > does not work. I know it's because of the % sign, so how do I translate
> > this thru, so that the following page picks up the percent sign?
> >
> > *** Sent via Developersdex http://www.developersdex.com ***

>
>
>

 
Reply With Quote
 
Joey Martin
Guest
Posts: n/a
 
      04-22-2005


Ok. So if I do not include the sql querystring in the address bar (and I
appreciate you pointing out the security problems), how do I perform
sortable colums? I need a way to pass the querystring to the next page
that re-sorts the columns.

*** Sent via Developersdex http://www.developersdex.com ***
 
Reply With Quote
 
Mark Schupp
Guest
Posts: n/a
 
      04-22-2005
I would do the sort using client-side JavaScript myself (no trips to the
server just to get the same data in a different order). If you cannot, then
keep the current query parameters in session variables or in a database on
the server. Or pass the parameters used to build the query instead of the
query itself.

--
--Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com

"Joey Martin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
>
> Ok. So if I do not include the sql querystring in the address bar (and I
> appreciate you pointing out the security problems), how do I perform
> sortable colums? I need a way to pass the querystring to the next page
> that re-sorts the columns.
>
> *** Sent via Developersdex http://www.developersdex.com ***



 
Reply With Quote
 
larrybud2002@yahoo.com
Guest
Posts: n/a
 
      04-22-2005

Joey Martin wrote:
> Ok. So if I do not include the sql querystring in the address bar

(and I
> appreciate you pointing out the security problems), how do I perform
> sortable colums? I need a way to pass the querystring to the next

page
> that re-sorts the columns.


What I do is have a sortby in the querystring, which matches the column
names... i.e.

resultpage.asp?sortby=last_name,first_name

Then in resultpage.asp you just dynamically build your sql...


mysql="select * from personnel order by " & sortby

You should check to see if sortby is empty, and set it to a default
sorting method if so.

 
Reply With Quote
 
Mark Schupp
Guest
Posts: n/a
 
      04-22-2005
<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
>
> Joey Martin wrote:
>> Ok. So if I do not include the sql querystring in the address bar

> (and I
>> appreciate you pointing out the security problems), how do I perform
>> sortable colums? I need a way to pass the querystring to the next

> page
>> that re-sorts the columns.

>
> What I do is have a sortby in the querystring, which matches the column
> names... i.e.
>
> resultpage.asp?sortby=last_name,first_name
>
> Then in resultpage.asp you just dynamically build your sql...
>
>
> mysql="select * from personnel order by " & sortby
>
> You should check to see if sortby is empty, and set it to a default
> sorting method if so.
>

This can open you up to SQL Injection attacks. You should never include any
data from the request in a SQL statement without validating it and escaping
special characters in it first.


 
Reply With Quote
 
larrybud2002@yahoo.com
Guest
Posts: n/a
 
      04-22-2005
> > What I do is have a sortby in the querystring, which matches the
column
> > names... i.e.
> >
> > resultpage.asp?sortby=last_name,first_name
> >
> > Then in resultpage.asp you just dynamically build your sql...
> >
> >
> > mysql="select * from personnel order by " & sortby
> >
> > You should check to see if sortby is empty, and set it to a default
> > sorting method if so.
> >

> This can open you up to SQL Injection attacks. You should never

include any
> data from the request in a SQL statement without validating it and

escaping
> special characters in it first.


How can it do that when it's forced after "order by" in a select
statement?

 
Reply With Quote
 
Mark Schupp
Guest
Posts: n/a
 
      04-22-2005
I'm not an expert on it but if I understand correctly one attack involves
appending SQL Statements. Some DBMSs allow multiple statements to be
executed in one call.

sortby = "last_name,first_name"
mysql="select * from personnel order by " & sortby
mysql=> select * from personnel order by last_name,first_name

Now try:
sortby = "last_name,first_name;delete from personnel"
mysql="select * from personnel order by " & sortby
mysql=> select * from personnel order by last_name,first_name;delete from
personnel

If you do a search on "sql injection" you will probably find a dozen
articles that explain this and other attacks much better.

--
--Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
>> > What I do is have a sortby in the querystring, which matches the

> column
>> > names... i.e.
>> >
>> > resultpage.asp?sortby=last_name,first_name
>> >
>> > Then in resultpage.asp you just dynamically build your sql...
>> >
>> >
>> > mysql="select * from personnel order by " & sortby
>> >
>> > You should check to see if sortby is empty, and set it to a default
>> > sorting method if so.
>> >

>> This can open you up to SQL Injection attacks. You should never

> include any
>> data from the request in a SQL statement without validating it and

> escaping
>> special characters in it first.

>
> How can it do that when it's forced after "order by" in a select
> statement?
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sprintf percent sign problem mpthimios@gmail.com Ruby 2 11-04-2007 07:15 PM
sprintf percent sign problem mpthimios@gmail.com Ruby 2 11-04-2007 12:30 PM
Open-URI and percent sign in url lrlebron@gmail.com Ruby 2 09-27-2007 04:24 PM
Apache, perl and WinXP cmd.exe - problem with percent sign in arg list Bartek Lakomiec Perl Misc 4 04-05-2007 03:02 AM
Printing a percent sign stephen@theboulets.net Python 13 09-26-2006 01:02 PM



Advertisments