Jump to content

Two Questions!


zeidhaddadin
 Share

Recommended Posts

Hi all, I have two questions I hope someone will help me with them:Question 1Whenever Someone enteres to my "database search engine using ADO.NET" a query contains: ' or < it show an ASP.NET compilation page, So here I'm trying to handle the situation by replacing these characters with a space like this:

Sub CheckString(ByVal search As String)search = Trim(Replace(search, "  ", " "))search = Replace(search,"'","")search = Replace(search,"<","")search = Replace(search,">","")search = Replace(search,"*","")End Sub

Also it's being called immediately after Request.QueryString .. using CheckString(search) .. But still the string is not being changed.Question 2I want to declare in my ADO connection the database reader which is called: "dbread" in my application .. So just a question .. I declare it as what.Thanks very much!,zeid======== UPDATE ======= Since I can't reply as first postConcerning the first question ... I noticed not using ByRef :) .. But Still when searching for: "<script>" or something like this .. It gives me the following error:

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.QueryString value was detected from the client (search="<aa").
Can I handle this kind of quieries?Thanks,zeid
Link to comment
Share on other sites

You'll either have to use javascript to replace all of the < signs with an HTML entity (<) or you'll have to change the page so that ValidateRequest is set to false:

<%@ Page Language="VB" ValidateRequest="false"...

Setting ValidateRequest = false can open you up to attacks unless you take care of the inputs on the server side (i.e. do all of your search/replace stuff on the server before you process the input or run it against your database).

Link to comment
Share on other sites

Still can someone tell me what to declare the db reader variable.
I don't know much about VB, but in C# it'd look something like this:
SqlConnection conn = new SqlConnection("Connection String goes here...");SqlCommand command = new SqlCommand("SQL Query or Stored Proc name goes here", conn);conn.Open();SqlDataReader reader = command.ExecuteReader();

EDIT: This is a link to the W3S tutorial: http://www.w3schools.com/aspnet/aspnet_dbconnection.asp

Link to comment
Share on other sites

If you were using a SqlConnection, I believe you would declare your reader As SqlDataReader. If it were an OleDbConnection, I believe you would declare it As OleDbDataReader. If it were an OdbcConnection, you'd declare it As OdbcDataReader. There are different DataReaders for different connections. If you look up on the MSDN site for the connection type that you are using, find the ExecuteReader method of the SqlCommand/OleDbCommand classes to figure out what data type the DataReader is.http://msdn2.microsoft.com/en-us/library/979byfca.aspxI hope this helps!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...