4

"I am working in asp.net vb and I am trying to get a variable from the URL and pass it into the select statement of my sql data source. So far I have this and it doesn't work with asp.net.

    <%Dim PersonNumId as String
    PersonNumID = Request.QueryString("Person")
    Dim PersonNum2
    PersonNum2 = Convert.ToInt32(PersonNumID)%>
    <aspSqlDataSource (other information required) SelectCommand="Select Name From Interests Where ID=@PersonNumID"  />
    <SelectParameters><asp:QueryStringParameter DefaultValue="<%=PersonNum2%>" DbType=Int32/></SelectParameters

I have tried several different ways of converting it but I need the end result to be the variable that is in the query statement is an int. I am new to this so any advice would be greatly appreciated!

Greesemonkey3
  • 207
  • 3
  • 15

2 Answers2

4

The answer ended up being simple(for someone that knows asp.net) Under the <asp:SqlDatasource><Selectparameters> there is an option for <asp:QueryStringParameter> you can enter the field that you want to query under querystringfield and I think it automatically converts or parses it to the type you want. I had this in my question but I didn't know what it actually did. I only used the querystringParameter because I saw it in an example somewhere else. So this is what I ended up getting.

    <asp:SqlDataSource (other information required) SelectCommand="Select Name From Interests Where ID=@PersonNum">
   <SelectParameters>
   <asp:QueryStringParameter Name="PersonNum" QueryStringField="Person" DbType="Int32"/></SelectParameters></asp:SqlDataSource>
bds89
  • 165
  • 3
  • 19
Greesemonkey3
  • 207
  • 3
  • 15
2

in code behind you can try:

SqlDataSource1.SelectCommand = "Select * from notes where ID=" + Request.QueryString["ID"];

Please use best practices to protect yourself from SQL injection.

highwingers
  • 1,649
  • 4
  • 21
  • 39
  • 1
    I would strongly suggest you do not do this! Think about SQL Injection. – Hanlet Escaño Dec 05 '12 at 23:29
  • That was an sample/solution only, offcourse cleans your querystring values before passing them to actuall sql statement. I just provided a possible solution. – highwingers Dec 05 '12 at 23:48
  • Ok, I was just saying in case the OP decided to go with your solution :) – Hanlet Escaño Dec 05 '12 at 23:49
  • So is there a simple way to clean the string? I read more into sql injection and found out that converting the variable to a parameter works best, but I don't know how to do that in the code behind file – Greesemonkey3 Dec 07 '12 at 14:36