Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > request.querystring("something")(item)

Reply
Thread Tools

request.querystring("something")(item)

 
 
magix8@gmail.com
Guest
Posts: n/a
 
      12-26-2007
Hi,

I have form GET method, example:

index.asp?Type=1&Type=3&Type=4&....


So,
I have something like this at the receiver side to retrieve multiple
Type value and insert into tables.

Set QINSERT = Server.CreateObject("ADODB.Recordset")
For Each item In Request.QueryString("Type")
SQL= " INSERT INTO tblType (TypeID, UserID) VALUES ('" &
Request.QueryString("Type")(item) & Session("ID") & "')"
Set QINSERT = conn.execute(SQL)
Next


But within the FOR statement, it ended up Internet 500 Error. What
did I do wrong ? Is Request.QueryString("Type")(item) correct ?

Session("ID") is OK. TypeID, UserID are correct too.

Please help to tell me what is wrong.

Regards,
magix

 
Reply With Quote
 
 
 
 
magix8@gmail.com
Guest
Posts: n/a
 
      12-26-2007
On Dec 26, 11:04*am, "(E-Mail Removed)" <(E-Mail Removed)> wrote:
> Hi,
>
> I have form GET method, example:
>
> index.asp?Type=1&Type=3&Type=4&....
>
> So,
> I have something like this at the receiver side to retrieve multiple
> Type value and insert into tables.
>
> * *Set *QINSERT *= Server.CreateObject("ADODB.Recordset")
> * *For Each item In Request.QueryString("Type")
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * SQL= " INSERT INTO tblType (TypeID, UserID) VALUES ('" &
> Request.QueryString("Type")(item) & Session("ID") & "')"
> * * * * Set QINSERT = conn.execute(SQL)
> * *Next
>
> * *But within the FOR statement, it ended up Internet 500 Error. What
> did I do wrong ? Is Request.QueryString("Type")(item) correct ?
>
> Session("ID") is OK. TypeID, UserID are correct too.
>
> Please help to tell me what is wrong.
>
> Regards,
> magix



Issue resolved and closed.
 
Reply With Quote
 
 
 
 
Evertjan.
Guest
Posts: n/a
 
      12-26-2007
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote on 26 dec 2007 in
> (E-Mail Removed) wrote on 26 dec 2007 in
>> For Each item In Request.QueryString("Type")

>
> Issue resolved and closed.


1 Since you are not the owner of usenet,
you cannot close an issue,
even if you opened it.

2 If you resolved your programming mistake,
it would be considerate to tell others,
that have already spent time thinking about it,
how and what.

====

Doing what you did with Request.QueryString,
if done on the open web,
is very dangerous for SQL injection.

Always validate all incoming data first,
or ask Bob for that other way,
which name always escapes me,
as I never use it.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
 
Reply With Quote
 
Mike Brind
Guest
Posts: n/a
 
      12-29-2007

"Evertjan." <(E-Mail Removed)> wrote in message
news:Xns9A126B9F17C4Ceejj99@194.109.133.242...
> (E-Mail Removed) wrote on 26 dec 2007 in
>> (E-Mail Removed) wrote on 26 dec 2007 in
>>> For Each item In Request.QueryString("Type")

>>
>> Issue resolved and closed.

>
> 1 Since you are not the owner of usenet,
> you cannot close an issue,
> even if you opened it.
>
> 2 If you resolved your programming mistake,
> it would be considerate to tell others,
> that have already spent time thinking about it,
> how and what.
>
> ====
>
> Doing what you did with Request.QueryString,
> if done on the open web,
> is very dangerous for SQL injection.
>
> Always validate all incoming data first,
> or ask Bob for that other way,
> which name always escapes me,
> as I never use it.
>


It's called parameters. And it isn't an alternative. It's as well as.
It's useful for preventing other potential problems - not just Sql
Injection.

--
Mike Brind


 
Reply With Quote
 
Evertjan.
Guest
Posts: n/a
 
      12-29-2007
Mike Brind wrote on 29 dec 2007 in
microsoft.public.inetserver.asp.general:

>
> "Evertjan." <(E-Mail Removed)> wrote in message
> news:Xns9A126B9F17C4Ceejj99@194.109.133.242...
>> (E-Mail Removed) wrote on 26 dec 2007 in
>>> (E-Mail Removed) wrote on 26 dec 2007 in
>>>> For Each item In Request.QueryString("Type")
>>>
>>> Issue resolved and closed.

>>
>> 1 Since you are not the owner of usenet,
>> you cannot close an issue,
>> even if you opened it.
>>
>> 2 If you resolved your programming mistake,
>> it would be considerate to tell others,
>> that have already spent time thinking about it,
>> how and what.
>>
>> ====
>>
>> Doing what you did with Request.QueryString,
>> if done on the open web,
>> is very dangerous for SQL injection.
>>
>> Always validate all incoming data first,
>> or ask Bob for that other way,
>> which name always escapes me,
>> as I never use it.
>>

>
> It's called parameters.


Ah yes, I was thinking about parainches or orthoyards,
but I am glad it turns out to be metric after all.

> And it isn't an alternative. It's as well as.


That is what alternative means, though I did not use that word.

> It's useful for preventing other potential problems - not just Sql
> Injection.


Please elaborate for us.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
 
Reply With Quote
 
Mike Brind
Guest
Posts: n/a
 
      12-31-2007

"Evertjan." <(E-Mail Removed)> wrote in message
news:Xns9A15870AA5F54eejj99@194.109.133.242...
> Mike Brind wrote on 29 dec 2007 in
> microsoft.public.inetserver.asp.general:
>
>>
>> "Evertjan." <(E-Mail Removed)> wrote in message
>> news:Xns9A126B9F17C4Ceejj99@194.109.133.242...
>>> (E-Mail Removed) wrote on 26 dec 2007 in
>>>> (E-Mail Removed) wrote on 26 dec 2007 in
>>>>> For Each item In Request.QueryString("Type")
>>>>
>>>> Issue resolved and closed.
>>>
>>> 1 Since you are not the owner of usenet,
>>> you cannot close an issue,
>>> even if you opened it.
>>>
>>> 2 If you resolved your programming mistake,
>>> it would be considerate to tell others,
>>> that have already spent time thinking about it,
>>> how and what.
>>>
>>> ====
>>>
>>> Doing what you did with Request.QueryString,
>>> if done on the open web,
>>> is very dangerous for SQL injection.
>>>
>>> Always validate all incoming data first,
>>> or ask Bob for that other way,
>>> which name always escapes me,
>>> as I never use it.
>>>

>>
>> It's called parameters.

>
> Ah yes, I was thinking about parainches or orthoyards,
> but I am glad it turns out to be metric after all.
>
>> And it isn't an alternative. It's as well as.

>
> That is what alternative means, though I did not use that word.
>
>> It's useful for preventing other potential problems - not just Sql
>> Injection.

>
> Please elaborate for us.
>


The main additional benefit is that you don't need to delimit values in
concatenated SQL strings, which removes the source of a number of errors
posted here, such as datatype mismatches and syntax errors. With
parameters, you would still perform server-side validation of values (for
range, datatype etc), but you are right - you don't need to specifically
validate against Sql injection attempts.

--
Mike Brind


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Advertisments