zeidhaddadin Posted January 2, 2007 Share Posted January 2, 2007 Hi all, I have two questions I hope someone will help me with them:Question 1Whenever Someone enteres to my "database search engine using ADO.NET" a query contains: ' or < it show an ASP.NET compilation page, So here I'm trying to handle the situation by replacing these characters with a space like this: Sub CheckString(ByVal search As String)search = Trim(Replace(search, " ", " "))search = Replace(search,"'","")search = Replace(search,"<","")search = Replace(search,">","")search = Replace(search,"*","")End Sub Also it's being called immediately after Request.QueryString .. using CheckString(search) .. But still the string is not being changed.Question 2I want to declare in my ADO connection the database reader which is called: "dbread" in my application .. So just a question .. I declare it as what.Thanks very much!,zeid======== UPDATE ======= Since I can't reply as first postConcerning the first question ... I noticed not using ByRef .. But Still when searching for: "<script>" or something like this .. It gives me the following error: Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.QueryString value was detected from the client (search="<aa").Can I handle this kind of quieries?Thanks,zeid Link to comment Share on other sites More sharing options...
jesh Posted January 2, 2007 Share Posted January 2, 2007 You'll either have to use javascript to replace all of the < signs with an HTML entity (<) or you'll have to change the page so that ValidateRequest is set to false: <%@ Page Language="VB" ValidateRequest="false"... Setting ValidateRequest = false can open you up to attacks unless you take care of the inputs on the server side (i.e. do all of your search/replace stuff on the server before you process the input or run it against your database). Link to comment Share on other sites More sharing options...
pulpfiction Posted January 2, 2007 Share Posted January 2, 2007 Try changing search = Replace(search,"<","") tosearch = search.Replace("<","") Link to comment Share on other sites More sharing options...
zeidhaddadin Posted January 2, 2007 Author Share Posted January 2, 2007 man the search = search.replace doesn't work .. but the validateRequest worked fine.Thanks Link to comment Share on other sites More sharing options...
zeidhaddadin Posted January 2, 2007 Author Share Posted January 2, 2007 Still can someone tell me what to declare the db reader variable. Link to comment Share on other sites More sharing options...
jesh Posted January 2, 2007 Share Posted January 2, 2007 Still can someone tell me what to declare the db reader variable.I don't know much about VB, but in C# it'd look something like this:SqlConnection conn = new SqlConnection("Connection String goes here...");SqlCommand command = new SqlCommand("SQL Query or Stored Proc name goes here", conn);conn.Open();SqlDataReader reader = command.ExecuteReader(); EDIT: This is a link to the W3S tutorial: http://www.w3schools.com/aspnet/aspnet_dbconnection.asp Link to comment Share on other sites More sharing options...
zeidhaddadin Posted January 3, 2007 Author Share Posted January 3, 2007 Thank you jesh.I know how to connect to a database but Sometimes when I compile my aspx page it gives me a warning that I should declare my variables As "something" like Dim a As Integer ...I need to know what to declare my data reader variable.Thanks,zeid Link to comment Share on other sites More sharing options...
jesh Posted January 3, 2007 Share Posted January 3, 2007 If you were using a SqlConnection, I believe you would declare your reader As SqlDataReader. If it were an OleDbConnection, I believe you would declare it As OleDbDataReader. If it were an OdbcConnection, you'd declare it As OdbcDataReader. There are different DataReaders for different connections. If you look up on the MSDN site for the connection type that you are using, find the ExecuteReader method of the SqlCommand/OleDbCommand classes to figure out what data type the DataReader is.http://msdn2.microsoft.com/en-us/library/979byfca.aspxI hope this helps! Link to comment Share on other sites More sharing options...
pulpfiction Posted January 3, 2007 Share Posted January 3, 2007 Are you looking for this?Dim var As System.Data.SqlClient.SqlDataReaderThis might help..http://aspnet.4guysfromrolla.com/articles/050405-1.aspx Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now