Altenative of PHP Function "Unset" in ASP

F

fasanay

Hi everybody I have got the following PHP code which I am trying to convert to
ASP any help will be appreciated...I have done most of it but I cant find a
replace function for Unset in asp which will discard the variable alltogether...


if ($categoryid == "all")
{
$sql = "SELECT * FROM products where shopinspection=$shopinspection";
unset($HTTP_POST_VARS['categoryid']);
unset($HTTP_POST_VARS['shopinspection']);
}
else
{
$sql = "SELECT * FROM products where categoryid = $categoryid";
unset($HTTP_POST_VARS['categoryid']);
}
unset($HTTP_POST_VARS['Submit']);
while (list($key, $value) = each($HTTP_POST_VARS))
{
if ($value != "" )
{
$sql = $sql .=" AND $key=$value";
//$sql = $sql .=" AND solesource = $solesource";
//echo "<strong>$value</strong>";
}
}
 
K

Karl Seguin

I take it you are talking about ASP.Net...you won't be able to unset
Request.Param values in ASP.Net since these values are in a readonly
collection. From the brief code you've shown, I take it you want to
"unset" these values because you are looping through the collection and
don't want them to show up in your dump. You'll have to create an string[]
of keys you don't want and as you are looping through the collection, make
sure the key isn't in your string[].


Karl
 
F

fasanay

thanks Karl but can you give me an example on how to do it I am including my asp
code which I somehow made it but it is not working....thanks again for your
help...

if categoryid = "all" Then
sql = "SELECT * FROM products where shopinspection= "& shopinspection &""
Else
sql = "SELECT * FROM products where "
End If

For x = 1 To (formcount - 1)
If Request.Form.item(x) <> "" Then
sql = sql & Request.Form.Key(x) &"="& Request.Form.Item(x) &""
sql = sql & " And "
End If
Next




I take it you are talking about ASP.Net...you won't be able to unset
Request.Param values in ASP.Net since these values are in a readonly
collection. From the brief code you've shown, I take it you want to
"unset" these values because you are looping through the collection and
don't want them to show up in your dump. You'll have to create an string[]
of keys you don't want and as you are looping through the collection, make
sure the key isn't in your string[].


Karl

--
MY ASP.Net tutorials
http://www.openmymind.net/


Hi everybody I have got the following PHP code which I am trying to convert to
ASP any help will be appreciated...I have done most of it but I cant find a
replace function for Unset in asp which will discard the variable alltogether...


if ($categoryid == "all")
{
$sql = "SELECT * FROM products where shopinspection=$shopinspection";
unset($HTTP_POST_VARS['categoryid']);
unset($HTTP_POST_VARS['shopinspection']);
}
else
{
$sql = "SELECT * FROM products where categoryid = $categoryid";
unset($HTTP_POST_VARS['categoryid']);
}
unset($HTTP_POST_VARS['Submit']);
while (list($key, $value) = each($HTTP_POST_VARS))
{
if ($value != "" )
{
$sql = $sql .=" AND $key=$value";
//$sql = $sql .=" AND solesource = $solesource";
//echo "<strong>$value</strong>";
}
}
 
K

Karl Seguin

I'm considered that you are talking about ASP and not ASP.Net (even though
you posted to the ASP.Net newgroup). Anyways, you'll want to do something
like:


Dim exclude() As String = {"categoryid", "shopinspection", "Submit"}
For i As Integer = 0 To Request.Form.Count
Dim key As String = Request.Form.GetKey(i)
If Not ItemExistsInArray(key, exclude) Then
sql = sql & key & "=" & Request.Form(i) & ""
sql = sql & " And "
End If
Next


Private Function ItemExistsInArray(ByVal item As String, ByVal array() As
String) As Boolean
For i As Integer = 0 To array.Length - 1
If String.Compare(item, array(0), True) = 0 Then
Return True
End If
Next
Return False
End Function


If this is ASP.Net, you will need to add items to the exclude array, such as
__VIEWSTATE and the other hidden fields asp.net adds.

Karl

--
MY ASP.Net tutorials
http://www.openmymind.net/


thanks Karl but can you give me an example on how to do it I am including my asp
code which I somehow made it but it is not working....thanks again for your
help...

if categoryid = "all" Then
sql = "SELECT * FROM products where shopinspection= "& shopinspection &""
Else
sql = "SELECT * FROM products where "
End If

For x = 1 To (formcount - 1)
If Request.Form.item(x) <> "" Then
sql = sql & Request.Form.Key(x) &"="& Request.Form.Item(x) &""
sql = sql & " And "
End If
Next




I take it you are talking about ASP.Net...you won't be able to unset
Request.Param values in ASP.Net since these values are in a readonly
collection. From the brief code you've shown, I take it you want to
"unset" these values because you are looping through the collection and
don't want them to show up in your dump. You'll have to create an string[]
of keys you don't want and as you are looping through the collection, make
sure the key isn't in your string[].


Karl

--
MY ASP.Net tutorials
http://www.openmymind.net/


Hi everybody I have got the following PHP code which I am trying to convert to
ASP any help will be appreciated...I have done most of it but I cant
find
a
replace function for Unset in asp which will discard the variable alltogether...


if ($categoryid == "all")
{
$sql = "SELECT * FROM products where shopinspection=$shopinspection";
unset($HTTP_POST_VARS['categoryid']);
unset($HTTP_POST_VARS['shopinspection']);
}
else
{
$sql = "SELECT * FROM products where categoryid = $categoryid";
unset($HTTP_POST_VARS['categoryid']);
}
unset($HTTP_POST_VARS['Submit']);
while (list($key, $value) = each($HTTP_POST_VARS))
{
if ($value != "" )
{
$sql = $sql .=" AND $key=$value";
//$sql = $sql .=" AND solesource = $solesource";
//echo "<strong>$value</strong>";
}
}
 
G

Guest

If this php code is production code you need to immediately fix a HUGE
security hole in it! NEVER, EVER, EVER blindly take user input and create
dynamic sql with it! Look up sql injection attacks for more information on
this. The short story is that I can send you a parameter like " 1; DROP
TABLE someTable -- ". This makes your sql look like "SELECT * FROM products
where shopinspection= 1; DROP TABLE someTable --and foo=bar" the -- at the
end comments everything else out so that no errors are even thrown. You need
to fix this immediately. Also, it's considered bad form to just loop through
every parameter passed in, you should only read parameters you are expecting.
 
R

Ryan Walberg, MCSD for .NET

Scott said:
If this php code is production code you need to immediately fix a HUGE
security hole in it! NEVER, EVER, EVER blindly take user input and create
dynamic sql with it! Look up sql injection attacks for more information on
this. The short story is that I can send you a parameter like " 1; DROP
TABLE someTable -- ". This makes your sql look like "SELECT * FROM products
where shopinspection= 1; DROP TABLE someTable --and foo=bar" the -- at the
end comments everything else out so that no errors are even thrown. You need
to fix this immediately. Also, it's considered bad form to just loop through
every parameter passed in, you should only read parameters you are expecting.

Scott, PHP has by default "magic quoting" which automagically escapes
strings in request variables. So it's safe, to some extent.

Sorry to disappoint!
 
G

Guest

This is still something that they need to look at if they are porting to asp
or asp.net. Also, that's still pretty stupid to just blindly loop through
the query string and tack it onto a sql query.
 
R

Ryan Walberg, MCSD for .NET

Scott said:
This is still something that they need to look at if they are porting to asp
or asp.net. Also, that's still pretty stupid to just blindly loop through
the query string and tack it onto a sql query.

I don't dispute that. I don't like magic_quotes either but it's the way
life is.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top