Two Questions!

[zeidhaddadin]

Hi all, I have two questions I hope someone will help me with them:Question 1Whenever Someone enteres to my "database search engine using ADO.NET" a query contains: ' or < it show an ASP.NET compilation page, So here I'm trying to handle the situation by replacing these characters with a space like this:

Sub CheckString(ByVal search As String)search = Trim(Replace(search, "  ", " "))search = Replace(search,"'","")search = Replace(search,"<","")search = Replace(search,">","")search = Replace(search,"*","")End Sub

Also it's being called immediately after Request.QueryString .. using CheckString(search) .. But still the string is not being changed.Question 2I want to declare in my ADO connection the database reader which is called: "dbread" in my application .. So just a question .. I declare it as what.Thanks very much!,zeid======== UPDATE ======= Since I can't reply as first postConcerning the first question ... I noticed not using ByRef .. But Still when searching for: "<script>" or something like this .. It gives me the following error:

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.QueryString value was detected from the client (search="<aa").

Can I handle this kind of quieries?Thanks,zeid

[jesh]

You'll either have to use javascript to replace all of the < signs with an HTML entity (<) or you'll have to change the page so that ValidateRequest is set to false:

<%@ Page Language="VB" ValidateRequest="false"...

Setting ValidateRequest = false can open you up to attacks unless you take care of the inputs on the server side (i.e. do all of your search/replace stuff on the server before you process the input or run it against your database).

[pulpfiction]

Try changing search = Replace(search,"<","") tosearch = search.Replace("<","")

[zeidhaddadin]

man the search = search.replace doesn't work .. but the validateRequest worked fine.Thanks

[zeidhaddadin]

Still can someone tell me what to declare the db reader variable.

[jesh]

Still can someone tell me what to declare the db reader variable.

I don't know much about VB, but in C# it'd look something like this:

SqlConnection conn = new SqlConnection("Connection String goes here...");SqlCommand command = new SqlCommand("SQL Query or Stored Proc name goes here", conn);conn.Open();SqlDataReader reader = command.ExecuteReader();

EDIT: This is a link to the W3S tutorial: http://www.w3schools.com/aspnet/aspnet_dbconnection.asp

[zeidhaddadin]

Thank you jesh.I know how to connect to a database but Sometimes when I compile my aspx page it gives me a warning that I should declare my variables As "something" like Dim a As Integer ...I need to know what to declare my data reader variable.Thanks,zeid

[jesh]

If you were using a SqlConnection, I believe you would declare your reader As SqlDataReader. If it were an OleDbConnection, I believe you would declare it As OleDbDataReader. If it were an OdbcConnection, you'd declare it As OdbcDataReader. There are different DataReaders for different connections. If you look up on the MSDN site for the connection type that you are using, find the ExecuteReader method of the SqlCommand/OleDbCommand classes to figure out what data type the DataReader is.http://msdn2.microsoft.com/en-us/library/979byfca.aspxI hope this helps!

[pulpfiction]

Are you looking for this?Dim var As System.Data.SqlClient.SqlDataReaderThis might help..http://aspnet.4guysfromrolla.com/articles/050405-1.aspx