passing values through url

[gerryR]

Hi All

i have a simple aspx page (vb) that pulls info out of an excel sheet. I'm
trying to pass a condition through a link to narrow down the results.
Basically we have 4 areas and rether than have 4 seperate pages I'd like to
have 4 links instead.

At the min my link is

contacts.aspx?area=north

But my problem is ho do I get that area into my sql statement.

I've tried creating a function in my code behind to return the area

Function passCondition()
Dim link As String
link = Request.QueryString("area")
Return link
End Function

An then pass that function into my sql command in the asp page

SelectCommand="SELECT * FROM [range] Where Province=passCondition()">

But all to no avail, I've tried multiple variations of that and several
alternatives but nothing.

As you can prob tell I'm failry new to all this so really appreciate a point
in the right direction.

Many thanks
gR

 

[Paul Shapiro]

i have a simple aspx page (vb) that pulls info out of an excel sheet. I'm
trying to pass a condition through a link to narrow down the results.
Basically we have 4 areas and rether than have 4 seperate pages I'd like
to have 4 links instead.

At the min my link is

contacts.aspx?area=north

But my problem is ho do I get that area into my sql statement.

I've tried creating a function in my code behind to return the area

Function passCondition()
Dim link As String
link = Request.QueryString("area")
Return link
End Function

And then pass that function into my sql command in the asp page

SelectCommand="SELECT * FROM [range] Where Province=passCondition()">

But all to no avail, I've tried multiple variations of that and several
alternatives but nothing.

If you look at your SelectCommand in the debugger you'll see that the text
is exactly as you show it above, with passCondition() as literal text. You
need to concatenate your condition, and include the text delimiters:
SelectCommand="SELECT * FROM [range] Where Province='" + passCondition() +
"'"

You should also lookup command parameters, because concatenating free text
into a sql statement opens your application to serious sql injection
security vulnerabilities.

 

[Mr. Arnold]

Hi All

i have a simple aspx page (vb) that pulls info out of an excel sheet. I'm
trying to pass a condition through a link to narrow down the results.
Basically we have 4 areas and rether than have 4 seperate pages I'd like to
have 4 links instead.

At the min my link is

contacts.aspx?area=north

But my problem is ho do I get that area into my sql statement.

I've tried creating a function in my code behind to return the area

Function passCondition()
Dim link As String
link = Request.QueryString("area")
Return link
End Function

An then pass that function into my sql command in the asp page

SelectCommand="SELECT * FROM [range] Where Province=passCondition()">

But all to no avail, I've tried multiple variations of that and several
alternatives but nothing.

As you can prob tell I'm failry new to all this so really appreciate a point
in the right direction.

Many thanks
gR

Why don't you do this?

private dim link as string at the top of the class.

In the page_load method, you do the Querystring to set "link" to the
queried value.

Then just use the "link" variable which can be seen by all methods of
the class.

 

[gerryR]

Thanks all, ended up adding a querystring to the sql command

Thanks again for the help
gR

 

[gerryR]

i have a simple aspx page (vb) that pulls info out of an excel sheet.
I'm trying to pass a condition through a link to narrow down the results.
Basically we have 4 areas and rether than have 4 seperate pages I'd like
to have 4 links instead.

At the min my link is

contacts.aspx?area=north

But my problem is ho do I get that area into my sql statement.

I've tried creating a function in my code behind to return the area

Function passCondition()
Dim link As String
link = Request.QueryString("area")
Return link
End Function

And then pass that function into my sql command in the asp page

SelectCommand="SELECT * FROM [range] Where Province=passCondition()">

But all to no avail, I've tried multiple variations of that and several
alternatives but nothing.

If you look at your SelectCommand in the debugger you'll see that the text
is exactly as you show it above, with passCondition() as literal text. You
need to concatenate your condition, and include the text delimiters:
SelectCommand="SELECT * FROM [range] Where Province='" + passCondition() +
"'"

You should also lookup command parameters, because concatenating free text
into a sql statement opens your application to serious sql injection
security vulnerabilities.

Hi Paul

just on your point about sql injection security issue, are the chances of
this also increased when using text in your SQL statements or is this
particular issue only related when concatenating?

I ask as they are now looking for 4 seperate pages so if plain text isn't a
problem I'll just use

SELECT * FROM [range] Where Province="north"
SELECT * FROM [range] Where Province="south"
etc

Or am I still better to use parameters

SELECT * FROM [range] Where Province=@province

Many thanks
gR

 

[Andy O'Neill]

Or am I still better to use parameters

SELECT * FROM [range] Where Province=@province

Always use parameters or linq - which uses parameters in the sql it
generates.

 

[gerryR]

Thanks Andy

Or am I still better to use parameters

SELECT * FROM [range] Where Province=@province

Always use parameters or linq - which uses parameters in the sql it
generates.