request.querystring("something")(item)

Discussion in 'ASP General' started by magix8@gmail.com, Dec 26, 2007.

  1. Guest

    Hi,

    I have form GET method, example:

    index.asp?Type=1&Type=3&Type=4&....


    So,
    I have something like this at the receiver side to retrieve multiple
    Type value and insert into tables.

    Set QINSERT = Server.CreateObject("ADODB.Recordset")
    For Each item In Request.QueryString("Type")
    SQL= " INSERT INTO tblType (TypeID, UserID) VALUES ('" &
    Request.QueryString("Type")(item) & Session("ID") & "')"
    Set QINSERT = conn.execute(SQL)
    Next


    But within the FOR statement, it ended up Internet 500 Error. What
    did I do wrong ? Is Request.QueryString("Type")(item) correct ?

    Session("ID") is OK. TypeID, UserID are correct too.

    Please help to tell me what is wrong.

    Regards,
    magix
     
    , Dec 26, 2007
    #1
    1. Advertising

  2. Guest

    On Dec 26, 11:04 am, "" <> wrote:
    > Hi,
    >
    > I have form GET method, example:
    >
    > index.asp?Type=1&Type=3&Type=4&....
    >
    > So,
    > I have something like this at the receiver side to retrieve multiple
    > Type value and insert into tables.
    >
    >    Set  QINSERT  = Server.CreateObject("ADODB.Recordset")
    >    For Each item In Request.QueryString("Type")
    >                                                         SQL= " INSERT INTO tblType (TypeID, UserID) VALUES ('" &
    > Request.QueryString("Type")(item) & Session("ID") & "')"
    >         Set QINSERT = conn.execute(SQL)
    >    Next
    >
    >    But within the FOR statement, it ended up Internet 500 Error. What
    > did I do wrong ? Is Request.QueryString("Type")(item) correct ?
    >
    > Session("ID") is OK. TypeID, UserID are correct too.
    >
    > Please help to tell me what is wrong.
    >
    > Regards,
    > magix



    Issue resolved and closed.
     
    , Dec 26, 2007
    #2
    1. Advertising

  3. Evertjan. Guest

    wrote on 26 dec 2007 in
    > wrote on 26 dec 2007 in
    >> For Each item In Request.QueryString("Type")

    >
    > Issue resolved and closed.


    1 Since you are not the owner of usenet,
    you cannot close an issue,
    even if you opened it.

    2 If you resolved your programming mistake,
    it would be considerate to tell others,
    that have already spent time thinking about it,
    how and what.

    ====

    Doing what you did with Request.QueryString,
    if done on the open web,
    is very dangerous for SQL injection.

    Always validate all incoming data first,
    or ask Bob for that other way,
    which name always escapes me,
    as I never use it.

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Dec 26, 2007
    #3
  4. Mike Brind Guest

    "Evertjan." <> wrote in message
    news:Xns9A126B9F17C4Ceejj99@194.109.133.242...
    > wrote on 26 dec 2007 in
    >> wrote on 26 dec 2007 in
    >>> For Each item In Request.QueryString("Type")

    >>
    >> Issue resolved and closed.

    >
    > 1 Since you are not the owner of usenet,
    > you cannot close an issue,
    > even if you opened it.
    >
    > 2 If you resolved your programming mistake,
    > it would be considerate to tell others,
    > that have already spent time thinking about it,
    > how and what.
    >
    > ====
    >
    > Doing what you did with Request.QueryString,
    > if done on the open web,
    > is very dangerous for SQL injection.
    >
    > Always validate all incoming data first,
    > or ask Bob for that other way,
    > which name always escapes me,
    > as I never use it.
    >


    It's called parameters. And it isn't an alternative. It's as well as.
    It's useful for preventing other potential problems - not just Sql
    Injection.

    --
    Mike Brind
     
    Mike Brind, Dec 29, 2007
    #4
  5. Evertjan. Guest

    Mike Brind wrote on 29 dec 2007 in
    microsoft.public.inetserver.asp.general:

    >
    > "Evertjan." <> wrote in message
    > news:Xns9A126B9F17C4Ceejj99@194.109.133.242...
    >> wrote on 26 dec 2007 in
    >>> wrote on 26 dec 2007 in
    >>>> For Each item In Request.QueryString("Type")
    >>>
    >>> Issue resolved and closed.

    >>
    >> 1 Since you are not the owner of usenet,
    >> you cannot close an issue,
    >> even if you opened it.
    >>
    >> 2 If you resolved your programming mistake,
    >> it would be considerate to tell others,
    >> that have already spent time thinking about it,
    >> how and what.
    >>
    >> ====
    >>
    >> Doing what you did with Request.QueryString,
    >> if done on the open web,
    >> is very dangerous for SQL injection.
    >>
    >> Always validate all incoming data first,
    >> or ask Bob for that other way,
    >> which name always escapes me,
    >> as I never use it.
    >>

    >
    > It's called parameters.


    Ah yes, I was thinking about parainches or orthoyards,
    but I am glad it turns out to be metric after all.

    > And it isn't an alternative. It's as well as.


    That is what alternative means, though I did not use that word.

    > It's useful for preventing other potential problems - not just Sql
    > Injection.


    Please elaborate for us.

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Dec 29, 2007
    #5
  6. Mike Brind Guest

    "Evertjan." <> wrote in message
    news:Xns9A15870AA5F54eejj99@194.109.133.242...
    > Mike Brind wrote on 29 dec 2007 in
    > microsoft.public.inetserver.asp.general:
    >
    >>
    >> "Evertjan." <> wrote in message
    >> news:Xns9A126B9F17C4Ceejj99@194.109.133.242...
    >>> wrote on 26 dec 2007 in
    >>>> wrote on 26 dec 2007 in
    >>>>> For Each item In Request.QueryString("Type")
    >>>>
    >>>> Issue resolved and closed.
    >>>
    >>> 1 Since you are not the owner of usenet,
    >>> you cannot close an issue,
    >>> even if you opened it.
    >>>
    >>> 2 If you resolved your programming mistake,
    >>> it would be considerate to tell others,
    >>> that have already spent time thinking about it,
    >>> how and what.
    >>>
    >>> ====
    >>>
    >>> Doing what you did with Request.QueryString,
    >>> if done on the open web,
    >>> is very dangerous for SQL injection.
    >>>
    >>> Always validate all incoming data first,
    >>> or ask Bob for that other way,
    >>> which name always escapes me,
    >>> as I never use it.
    >>>

    >>
    >> It's called parameters.

    >
    > Ah yes, I was thinking about parainches or orthoyards,
    > but I am glad it turns out to be metric after all.
    >
    >> And it isn't an alternative. It's as well as.

    >
    > That is what alternative means, though I did not use that word.
    >
    >> It's useful for preventing other potential problems - not just Sql
    >> Injection.

    >
    > Please elaborate for us.
    >


    The main additional benefit is that you don't need to delimit values in
    concatenated SQL strings, which removes the source of a number of errors
    posted here, such as datatype mismatches and syntax errors. With
    parameters, you would still perform server-side validation of values (for
    range, datatype etc), but you are right - you don't need to specifically
    validate against Sql injection attempts.

    --
    Mike Brind
     
    Mike Brind, Dec 31, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Daniel Bass
    Replies:
    2
    Views:
    3,719
    dave wanta
    Jul 4, 2003
  2. George
    Replies:
    5
    Views:
    6,623
    George
    Apr 2, 2004
  3. David
    Replies:
    6
    Views:
    481
    Scott M.
    Jul 3, 2004
  4. michaaal
    Replies:
    6
    Views:
    413
    Michael D. Kersey
    Jul 15, 2003
  5. John Davis
    Replies:
    2
    Views:
    397
    Dave Anderson
    Aug 18, 2003
Loading...

Share This Page