By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
446,369 Members | 1,207 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 446,369 IT Pros & Developers. It's quick & easy.

Passing percent sign in querystring

P: n/a
I am passing a sql string thru my querystring for the next page to
capture.
example: www.xxxxxxxx.com/index.asp?str=select * from table where name
like '%doe%'

Passing a basic string works fine. But, when I use the LIKE statement it
does not work. I know it's because of the % sign, so how do I translate
this thru, so that the following page picks up the percent sign?

*** Sent via Developersdex http://www.developersdex.com ***
Jul 22 '05 #1
Share this Question
Share on Google+
11 Replies


P: n/a
"Joey Martin" <jo**@infosmiths.net> wrote in message
news:OJ**************@TK2MSFTNGP14.phx.gbl...
I am passing a sql string thru my querystring for the next page to
capture.
example: www.xxxxxxxx.com/index.asp?str=select * from table where name
like '%doe%'

Passing a basic string works fine. But, when I use the LIKE statement it
does not work. I know it's because of the % sign, so how do I translate
this thru, so that the following page picks up the percent sign?


A JavaScript solution:

var url = "www.xxxxxxxx.com/index.asp?str=";
var sql = "SELECT * FROM table WHERE name LIKE '%doe%'";
window.open(url + escape(sql),"","");
Jul 22 '05 #2

P: n/a
well, hopefully your only doing this in a secure area of the site that only
admins use

regardless you want to Server.URLEncode that string before you send it to
the next page

Server.URLEncode(YourSQLString)

it will encode certaint characters so they make it over ok...
you dont have to worry about decoding it as the request object takes care of
that
"Joey Martin" <jo**@infosmiths.net> wrote in message
news:OJ**************@TK2MSFTNGP14.phx.gbl...
I am passing a sql string thru my querystring for the next page to
capture.
example: www.xxxxxxxx.com/index.asp?str=select * from table where name
like '%doe%'

Passing a basic string works fine. But, when I use the LIKE statement it
does not work. I know it's because of the % sign, so how do I translate
this thru, so that the following page picks up the percent sign?

*** Sent via Developersdex http://www.developersdex.com ***

Jul 22 '05 #3

P: n/a
Hey Joey,

i think writing the whole sql statement in the querysting is a bad idea -
you are open to sql injection attacks and the like. All your user has to do
is substitute delete for select, and hey presto, your table is empty (unless
you've denied delete rights on your db user account)....

regards,
Jon.

"Kyle Peterson" wrote:
well, hopefully your only doing this in a secure area of the site that only
admins use

regardless you want to Server.URLEncode that string before you send it to
the next page

Server.URLEncode(YourSQLString)

it will encode certaint characters so they make it over ok...
you dont have to worry about decoding it as the request object takes care of
that
"Joey Martin" <jo**@infosmiths.net> wrote in message
news:OJ**************@TK2MSFTNGP14.phx.gbl...
I am passing a sql string thru my querystring for the next page to
capture.
example: www.xxxxxxxx.com/index.asp?str=select * from table where name
like '%doe%'

Passing a basic string works fine. But, when I use the LIKE statement it
does not work. I know it's because of the % sign, so how do I translate
this thru, so that the following page picks up the percent sign?

*** Sent via Developersdex http://www.developersdex.com ***


Jul 22 '05 #4

P: n/a


Ok. So if I do not include the sql querystring in the address bar (and I
appreciate you pointing out the security problems), how do I perform
sortable colums? I need a way to pass the querystring to the next page
that re-sorts the columns.

*** Sent via Developersdex http://www.developersdex.com ***
Jul 22 '05 #5

P: n/a
I would do the sort using client-side JavaScript myself (no trips to the
server just to get the same data in a different order). If you cannot, then
keep the current query parameters in session variables or in a database on
the server. Or pass the parameters used to build the query instead of the
query itself.

--
--Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com

"Joey Martin" <jo**@infosmiths.net> wrote in message
news:Or**************@TK2MSFTNGP14.phx.gbl...


Ok. So if I do not include the sql querystring in the address bar (and I
appreciate you pointing out the security problems), how do I perform
sortable colums? I need a way to pass the querystring to the next page
that re-sorts the columns.

*** Sent via Developersdex http://www.developersdex.com ***

Jul 22 '05 #6

P: n/a

Joey Martin wrote:
Ok. So if I do not include the sql querystring in the address bar (and I appreciate you pointing out the security problems), how do I perform
sortable colums? I need a way to pass the querystring to the next page that re-sorts the columns.


What I do is have a sortby in the querystring, which matches the column
names... i.e.

resultpage.asp?sortby=last_name,first_name

Then in resultpage.asp you just dynamically build your sql...
mysql="select * from personnel order by " & sortby

You should check to see if sortby is empty, and set it to a default
sorting method if so.

Jul 22 '05 #7

P: n/a
<la**********@yahoo.com> wrote in message
news:11*********************@l41g2000cwc.googlegro ups.com...

Joey Martin wrote:
Ok. So if I do not include the sql querystring in the address bar

(and I
appreciate you pointing out the security problems), how do I perform
sortable colums? I need a way to pass the querystring to the next

page
that re-sorts the columns.


What I do is have a sortby in the querystring, which matches the column
names... i.e.

resultpage.asp?sortby=last_name,first_name

Then in resultpage.asp you just dynamically build your sql...
mysql="select * from personnel order by " & sortby

You should check to see if sortby is empty, and set it to a default
sorting method if so.

This can open you up to SQL Injection attacks. You should never include any
data from the request in a SQL statement without validating it and escaping
special characters in it first.
Jul 22 '05 #8

P: n/a
> > What I do is have a sortby in the querystring, which matches the
column
names... i.e.

resultpage.asp?sortby=last_name,first_name

Then in resultpage.asp you just dynamically build your sql...
mysql="select * from personnel order by " & sortby

You should check to see if sortby is empty, and set it to a default
sorting method if so.
This can open you up to SQL Injection attacks. You should never

include any data from the request in a SQL statement without validating it and escaping special characters in it first.


How can it do that when it's forced after "order by" in a select
statement?

Jul 22 '05 #9

P: n/a
I'm not an expert on it but if I understand correctly one attack involves
appending SQL Statements. Some DBMSs allow multiple statements to be
executed in one call.

sortby = "last_name,first_name"
mysql="select * from personnel order by " & sortby
mysql=> select * from personnel order by last_name,first_name

Now try:
sortby = "last_name,first_name;delete from personnel"
mysql="select * from personnel order by " & sortby
mysql=> select * from personnel order by last_name,first_name;delete from
personnel

If you do a search on "sql injection" you will probably find a dozen
articles that explain this and other attacks much better.

--
--Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com

<la**********@yahoo.com> wrote in message
news:11*********************@l41g2000cwc.googlegro ups.com...
> What I do is have a sortby in the querystring, which matches the column > names... i.e.
>
> resultpage.asp?sortby=last_name,first_name
>
> Then in resultpage.asp you just dynamically build your sql...
>
>
> mysql="select * from personnel order by " & sortby
>
> You should check to see if sortby is empty, and set it to a default
> sorting method if so.
>

This can open you up to SQL Injection attacks. You should never

include any
data from the request in a SQL statement without validating it and

escaping
special characters in it first.


How can it do that when it's forced after "order by" in a select
statement?

Jul 22 '05 #10

P: n/a

Mark Schupp wrote:
I'm not an expert on it but if I understand correctly one attack involves appending SQL Statements. Some DBMSs allow multiple statements to be
executed in one call.

sortby = "last_name,first_name"
mysql="select * from personnel order by " & sortby
mysql=> select * from personnel order by last_name,first_name

Now try:
sortby = "last_name,first_name;delete from personnel"
mysql="select * from personnel order by " & sortby
mysql=> select * from personnel order by last_name,first_name;delete from personnel


Duly noted. Stripping out all spaces from the sortby should take care
of that.

Jul 22 '05 #11

P: n/a
la**********@yahoo.com wrote:
Mark Schupp wrote:
I'm not an expert on it but if I understand correctly one attack
involves appending SQL Statements. Some DBMSs allow multiple
statements to be executed in one call.

sortby = "last_name,first_name"
mysql="select * from personnel order by " & sortby
mysql=> select * from personnel order by last_name,first_name

Now try:
sortby = "last_name,first_name;delete from personnel"
mysql="select * from personnel order by " & sortby
mysql=> select * from personnel order by last_name,first_name;delete
from personnel


Duly noted. Stripping out all spaces from the sortby should take care
of that.


Better yet, use parameters just in case the hacker is aware of that trick.
SQL cannot be injected if parameters are used.

Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Jul 22 '05 #12

This discussion thread is closed

Replies have been disabled for this discussion.