asp:QueryStringParameter and empty query string parameter

Question

I haveasp:GridView displaying client requests using asp:SqlDataSource. I want to limit displayed information by client:

View.aspx has to display everything, View.aspx?client=1 has to display only requests from client ID #1.

So I'm using <asp:QueryStringParameter Name="client" QueryStringField="client" /> for query "EXEC getRequests @client".

Everything works properly when some client is specified. But don't - if not.

I tested my SP using SSMS - it works properly in both cases - when parameter is specified and when it isn't (NULL passed explicitly).

What have I do?

Looks like you're opening yourself up to some pretty serious SQL injection attack vectors with this approach. — womp, Apr 21 '10 at 22:41
@womp: How am I opening? QueryStringParameter is being added in code-behind only for users with appropriate rights and after a number of checks. — abatishchev, Apr 21 '10 at 22:43
AH, if you're sanitizing it, then that's fine. It just looked from your question like you were using it directly. — womp, Apr 21 '10 at 22:43
@womp: I take only client ID (int) and pass it to SP. I'm sure this is safe to do. I don't do silly things like `"SELECT ... WHERE ID=" + Request["client"]` :) — abatishchev, Apr 21 '10 at 22:46

score 19 · Accepted Answer · answered Apr 21 '10 at 23:10

19

SqlDataSource won't fire if any of it's parameters are null, unless you specify otherwise:

<asp:SqlDataSource CancelSelectOnNullParameter="False" />

It might also be necessary to add a null default value to your querystring parameter:

<asp:QueryStringParameter Name="client" QueryStringField="client" DefaultValue="" ConvertEmptyStringToNull="True" />

answered Apr 21 '10 at 23:10

richeym

1

Thank you very much! First option does what I need. – abatishchev Apr 21 '10 at 23:31
That's a a really awkward default (i.e. it should fire with NULL params by default). I'm pretty sure NULL params to indicate 'everything' are very common. – Ryan Aug 06 '14 at 01:28

score 3 · Answer 2 · answered Apr 21 '10 at 22:45

3

You need to define a Default value to the parameter for those situations, for example:

<asp:QueryStringParameter Name="client" QueryStringField="client" DefaultValue="0"/>

and then in the SP you need verify if the client is 0, return all the clients, otherwise the specific one.

answered Apr 21 '10 at 22:45

Tony

Is it possible to set default value to `NULL` (`DBNull.Value`) ? – abatishchev Apr 21 '10 at 22:53
Hmm i dont think so. But is there a reason to use NULL instead of 0, -1 or something else? – Tony Apr 21 '10 at 22:54
For `NULL` it's easy to use SQL built-in function `ISNULL(,)`. Values like 0 or -1 required additional `CASE-WHEN-THEN` statement into query – abatishchev Apr 21 '10 at 23:09
With this url "View.aspx?client=" i think the parameter is automaticly converted to null, because its empty. Try this and give some feedback, – Tony Apr 21 '10 at 23:13
Thank you for your participation! :) Problem is solved. See below – abatishchev Apr 21 '10 at 23:32

2 Answers2