How to pass part of url as variable in c#?

Question

I have the following URL : http://localhost:52416/Controls/Support_Survey.aspx?GUID=4aa4caca-f5cb-11e2-b582-635fb56c00b9

I need to get the GUID from the URL as variable and pass it in the following stored procedure:

 database.InsertUpdate(String.Format("CALL spSurveyAnswer_Insert('{0}', '{1}','{2}');", selectValue1, txtFeedBack.Text, PassGUID_HERE));

Any idea please ??

Thanks in advance

Eeekk... SQL Injection alert! :-) Use parameters for a start! Then something like `Request.Querystring["GUID"]` — Belogix, Jul 29 '13 at 15:01
you could just count 36 characters backwards from the end and convert that to a guid, if you can be sure it's always at the end/same format — Jonesopolis, Jul 29 '13 at 15:04
@Jonesy That's a terrible idea. Please, don't do that, ever. — cadrell0, Jul 29 '13 at 15:06
how about a simple `split` function call on the `URL` the question is will you always have one `?` in the url..if so then 2 lines of code can fix your problem in regards to returning the `GUID` as a Param let me know if you would like to see a simple example — MethodMan, Jul 29 '13 at 15:16
@DJKRAZE: There's built in functions to get parameters out of the query string... — Colin DeClue, Jul 29 '13 at 16:06

score 6 · Accepted Answer · answered Jul 29 '13 at 15:27

Here's how I would recommend you do it:

var requestGuid = Request.Params["GUID"];

if (string.IsNullOrEmpty(requestGuid))
{
    throw new InvalidOperationException("The request GUID is missing from the URL");
}

Guid guid;

if (!Guid.TryParse(requestGuid, out guid))
{
    throw new InvalidOperationException("The request GUID in the URL is not correctly formatted");
}

using(var connection = new SqlConnection("connection_string"))
{
    using(var command = new SqlCommand("spSurveyAnswer_Insert", connection))
    {
        command.CommandType = CommandType.StoredProcedure;        
        command.Parameters.AddWithValue("firstParamName", selectValue1);
        command.Parameters.AddWithValue("feedbackParamName", txtFeedBack.Text);
        command.Parameters.AddWithValue("guidParamName", guid);

        command.Connection.Open();
        command.ExecuteNonQuery();
    }
}

You can't guarantee that the GUID will be in the URL OR be a valid GUID so be defensive and check for both! Then use parameterised queries to help prevent SQL injection - since you are calling a stored procedure, you can still have sql injection if you misuse the parameter values inside the proc so you need to write that carefully too. Finally, also dispose of disposable resources properly.

Tim S. · Answer 2 · 2013-07-29T15:26:33.660

You should use the Request's Params or QueryString (see their documentations to understand the difference) to get the GUID, and for security reasons you should use parameters in all SQL commands and queries, instead of string concatenation/formatting. I'm using the simplified syntax allowed by CommandType.StoredProcedure. The parameter names ("firstParamName", etc.) should match the actual parameter names declared in your stored procedure.

Guid myGuid = new Guid(Request.Params["GUID"]);

using (SqlConnection conn = // get connection)
using (SqlCommand command = new SqlCommand("spSurveyAnswer_Insert", conn))
{
    conn.Open();
    command.CommandType = CommandType.StoredProcedure;

    command.Parameters.AddWithValue("firstParamName", selectValue1);
    command.Parameters.AddWithValue("feedbackParamName", txtFeedBack.Text);
    command.Parameters.AddWithValue("guidParamName", myGuid);

    command.ExecuteNonQuery();
}

CurlyPaul · Answer 3 · 2013-07-29T16:32:15.743

0

This should do it:

Guid myGuid = new Guid(Request.Params["GUID"])

Casting it as an actual Guid will prevent a SQL injection attack too

edited Jul 29 '13 at 16:32

answered Jul 29 '13 at 15:06

CurlyPaul

1,138
1
10
29

2

Based on the code in the question, that alone is not enough to prevent SQL injection – bengoesboom Jul 29 '13 at 15:07
@bengoesboom but it would prevent SQL from being injected from the GUID variable in the query string wouldn't it? he does not note where the values from the other parts of the sql string come from – CurlyPaul Jul 29 '13 at 16:30

Praveen · Answer 4 · 2013-07-29T15:12:29.660

0

string url = "http://localhost:52416/Controls/Support_Survey.aspx?GUID=4aa4caca-f5cb-11e2-b582-635fb56c00b9";
string lastPart = url.Split('?').Last().Replace("GUID=",string.Empty);

your code is probe to SQL Injection, so use SqlCommand.Parameters Property

 SqlCommand command = // your sql command;
    database.InsertUpdate(String.Format("CALL spSurveyAnswer_Insert('{0}', '{1}','{2}');", @selectValue1, @txtFeedBack, @PassGUID_HERE));

    command.Parameters.AddWithValue("@selectValue1", selectValue1);
    command.Parameters.AddWithValue("@txtFeedBack", txtFeedBack.Text);
    command.Parameters.AddWithValue("@PassGUID_HERE", lastPart );

edited Jul 29 '13 at 15:12

answered Jul 29 '13 at 15:06

Praveen

55,303
33
133
164

`command.Parameters.Add` syntax should be `command.Parameters.AddWithValue` instead if you are wanting to use your answer – MethodMan Jul 29 '13 at 15:09
Use Request.QueryString too, don't parse the url yourself! you'll end up with `GUID=4aa4caca-f5cb-11e2-b582-635fb56c00b9` instead of `4aa4caca-f5cb-11e2-b582-635fb56c00b9` – Trevor Pilley Jul 29 '13 at 15:13
@TrevorPilley Right. But I've used `.Replace("GUID=",string.Empty);` to get rid of `GUID=`. Thanks for pointing it out. – Praveen Jul 29 '13 at 15:15
@DJKRAZE Thanks for mentioning it. – Praveen Jul 29 '13 at 15:16
1

@user1671639 which will only work until someone decides that they need another value in the url and it becomes `GUID=4aa4caca-f5cb-11e2-b582-635fb56c00b9&Foo=Bar` at which point your code breaks again! – Trevor Pilley Jul 29 '13 at 15:18
@TrevorPilley Thanks a lot. Really I didn't thought of that. Thank you once again for the insight. – Praveen Jul 29 '13 at 15:24
1

`user1671639` in order for your answer to work if you are not understanding why someone downvoted your answer, you would need to create the StoredProcedure on the Server and call the stored procedure based on your Sql Command, Command Type `i.e StoredProcedure`, and adding Parameters.. look at Tim's example very straight forward as well as a good learning tool – MethodMan Jul 29 '13 at 15:24
@DJKRAZE,Trevor Pilley Feeling very bad on myself for missing quite important things. Thanks for pointing the reason and directing to the right path. To be frank, I'm not worried of getting downvotes sir, a chance to express my thoughts so that someone like you there to guide me. Thanks a lot :). Will delete this. – Praveen Jul 29 '13 at 15:32
The question asks how to pass part of a URL, so when my answer as well gets downvoted I believe that those whom downvote don't even read the question let alone what comments others put in their answer.. for example if the OP wants part then parting out something immediately in my mind I would think about `string.Split` function..lol – MethodMan Jul 29 '13 at 15:36

score -1 · Answer 5 · answered Jul 29 '13 at 15:06

-1

Uri url = new Uri("http://localhost:52416/Controls/Support_Survey.aspx?GUID=4aa4caca-f5cb-11e2-b582-635fb56c00b9");

string query = url.Query //query is now "GUID=4aa4caca-f5cb-11e2-b582-635fb56c00b9"

string guidStr = query.Replace("GUID=", "");
Guid guid = new Guid(guidStr);

answered Jul 29 '13 at 15:06

Dave Swersky

34,502
9
78
118

1

which will only work until someone decides that they need another value in the url and it becomes `GUID=4aa4caca-f5cb-11e2-b582-635fb56c00b9&Foo=Bar` at which point your code breaks... – Trevor Pilley Jul 29 '13 at 15:29

How to pass part of url as variable in c#?

5 Answers5