473,324 Members | 2,473 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,324 software developers and data experts.

Passing percent sign in querystring

I am passing a sql string thru my querystring for the next page to
capture.
example: www.xxxxxxxx.com/index.asp?str=select * from table where name
like '%doe%'

Passing a basic string works fine. But, when I use the LIKE statement it
does not work. I know it's because of the % sign, so how do I translate
this thru, so that the following page picks up the percent sign?

*** Sent via Developersdex http://www.developersdex.com ***
Jul 22 '05 #1
11 11948
"Joey Martin" <jo**@infosmiths.net> wrote in message
news:OJ**************@TK2MSFTNGP14.phx.gbl...
I am passing a sql string thru my querystring for the next page to
capture.
example: www.xxxxxxxx.com/index.asp?str=select * from table where name
like '%doe%'

Passing a basic string works fine. But, when I use the LIKE statement it
does not work. I know it's because of the % sign, so how do I translate
this thru, so that the following page picks up the percent sign?


A JavaScript solution:

var url = "www.xxxxxxxx.com/index.asp?str=";
var sql = "SELECT * FROM table WHERE name LIKE '%doe%'";
window.open(url + escape(sql),"","");
Jul 22 '05 #2
well, hopefully your only doing this in a secure area of the site that only
admins use

regardless you want to Server.URLEncode that string before you send it to
the next page

Server.URLEncode(YourSQLString)

it will encode certaint characters so they make it over ok...
you dont have to worry about decoding it as the request object takes care of
that
"Joey Martin" <jo**@infosmiths.net> wrote in message
news:OJ**************@TK2MSFTNGP14.phx.gbl...
I am passing a sql string thru my querystring for the next page to
capture.
example: www.xxxxxxxx.com/index.asp?str=select * from table where name
like '%doe%'

Passing a basic string works fine. But, when I use the LIKE statement it
does not work. I know it's because of the % sign, so how do I translate
this thru, so that the following page picks up the percent sign?

*** Sent via Developersdex http://www.developersdex.com ***

Jul 22 '05 #3
Hey Joey,

i think writing the whole sql statement in the querysting is a bad idea -
you are open to sql injection attacks and the like. All your user has to do
is substitute delete for select, and hey presto, your table is empty (unless
you've denied delete rights on your db user account)....

regards,
Jon.

"Kyle Peterson" wrote:
well, hopefully your only doing this in a secure area of the site that only
admins use

regardless you want to Server.URLEncode that string before you send it to
the next page

Server.URLEncode(YourSQLString)

it will encode certaint characters so they make it over ok...
you dont have to worry about decoding it as the request object takes care of
that
"Joey Martin" <jo**@infosmiths.net> wrote in message
news:OJ**************@TK2MSFTNGP14.phx.gbl...
I am passing a sql string thru my querystring for the next page to
capture.
example: www.xxxxxxxx.com/index.asp?str=select * from table where name
like '%doe%'

Passing a basic string works fine. But, when I use the LIKE statement it
does not work. I know it's because of the % sign, so how do I translate
this thru, so that the following page picks up the percent sign?

*** Sent via Developersdex http://www.developersdex.com ***


Jul 22 '05 #4


Ok. So if I do not include the sql querystring in the address bar (and I
appreciate you pointing out the security problems), how do I perform
sortable colums? I need a way to pass the querystring to the next page
that re-sorts the columns.

*** Sent via Developersdex http://www.developersdex.com ***
Jul 22 '05 #5
I would do the sort using client-side JavaScript myself (no trips to the
server just to get the same data in a different order). If you cannot, then
keep the current query parameters in session variables or in a database on
the server. Or pass the parameters used to build the query instead of the
query itself.

--
--Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com

"Joey Martin" <jo**@infosmiths.net> wrote in message
news:Or**************@TK2MSFTNGP14.phx.gbl...


Ok. So if I do not include the sql querystring in the address bar (and I
appreciate you pointing out the security problems), how do I perform
sortable colums? I need a way to pass the querystring to the next page
that re-sorts the columns.

*** Sent via Developersdex http://www.developersdex.com ***

Jul 22 '05 #6

Joey Martin wrote:
Ok. So if I do not include the sql querystring in the address bar (and I appreciate you pointing out the security problems), how do I perform
sortable colums? I need a way to pass the querystring to the next page that re-sorts the columns.


What I do is have a sortby in the querystring, which matches the column
names... i.e.

resultpage.asp?sortby=last_name,first_name

Then in resultpage.asp you just dynamically build your sql...
mysql="select * from personnel order by " & sortby

You should check to see if sortby is empty, and set it to a default
sorting method if so.

Jul 22 '05 #7
<la**********@yahoo.com> wrote in message
news:11*********************@l41g2000cwc.googlegro ups.com...

Joey Martin wrote:
Ok. So if I do not include the sql querystring in the address bar

(and I
appreciate you pointing out the security problems), how do I perform
sortable colums? I need a way to pass the querystring to the next

page
that re-sorts the columns.


What I do is have a sortby in the querystring, which matches the column
names... i.e.

resultpage.asp?sortby=last_name,first_name

Then in resultpage.asp you just dynamically build your sql...
mysql="select * from personnel order by " & sortby

You should check to see if sortby is empty, and set it to a default
sorting method if so.

This can open you up to SQL Injection attacks. You should never include any
data from the request in a SQL statement without validating it and escaping
special characters in it first.
Jul 22 '05 #8
> > What I do is have a sortby in the querystring, which matches the
column
names... i.e.

resultpage.asp?sortby=last_name,first_name

Then in resultpage.asp you just dynamically build your sql...
mysql="select * from personnel order by " & sortby

You should check to see if sortby is empty, and set it to a default
sorting method if so.
This can open you up to SQL Injection attacks. You should never

include any data from the request in a SQL statement without validating it and escaping special characters in it first.


How can it do that when it's forced after "order by" in a select
statement?

Jul 22 '05 #9
I'm not an expert on it but if I understand correctly one attack involves
appending SQL Statements. Some DBMSs allow multiple statements to be
executed in one call.

sortby = "last_name,first_name"
mysql="select * from personnel order by " & sortby
mysql=> select * from personnel order by last_name,first_name

Now try:
sortby = "last_name,first_name;delete from personnel"
mysql="select * from personnel order by " & sortby
mysql=> select * from personnel order by last_name,first_name;delete from
personnel

If you do a search on "sql injection" you will probably find a dozen
articles that explain this and other attacks much better.

--
--Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com

<la**********@yahoo.com> wrote in message
news:11*********************@l41g2000cwc.googlegro ups.com...
> What I do is have a sortby in the querystring, which matches the column > names... i.e.
>
> resultpage.asp?sortby=last_name,first_name
>
> Then in resultpage.asp you just dynamically build your sql...
>
>
> mysql="select * from personnel order by " & sortby
>
> You should check to see if sortby is empty, and set it to a default
> sorting method if so.
>

This can open you up to SQL Injection attacks. You should never

include any
data from the request in a SQL statement without validating it and

escaping
special characters in it first.


How can it do that when it's forced after "order by" in a select
statement?

Jul 22 '05 #10

Mark Schupp wrote:
I'm not an expert on it but if I understand correctly one attack involves appending SQL Statements. Some DBMSs allow multiple statements to be
executed in one call.

sortby = "last_name,first_name"
mysql="select * from personnel order by " & sortby
mysql=> select * from personnel order by last_name,first_name

Now try:
sortby = "last_name,first_name;delete from personnel"
mysql="select * from personnel order by " & sortby
mysql=> select * from personnel order by last_name,first_name;delete from personnel


Duly noted. Stripping out all spaces from the sortby should take care
of that.

Jul 22 '05 #11
la**********@yahoo.com wrote:
Mark Schupp wrote:
I'm not an expert on it but if I understand correctly one attack
involves appending SQL Statements. Some DBMSs allow multiple
statements to be executed in one call.

sortby = "last_name,first_name"
mysql="select * from personnel order by " & sortby
mysql=> select * from personnel order by last_name,first_name

Now try:
sortby = "last_name,first_name;delete from personnel"
mysql="select * from personnel order by " & sortby
mysql=> select * from personnel order by last_name,first_name;delete
from personnel


Duly noted. Stripping out all spaces from the sortby should take care
of that.


Better yet, use parameters just in case the hacker is aware of that trick.
SQL cannot be injected if parameters are used.

Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Jul 22 '05 #12

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

9
by: cooldv | last post by:
i know how to replace the sign " when SUBMITTING a form in asp by this code: message = Replace(usermessage, "'", "''"). My problem is DISPLAYING data in an asp FORM, from an an access database,...
5
by: Jack | last post by:
Hi, I need to pass multple variables in a link in order to go to a asp page with the two varables. The following are the values of the variables using response.write: <%'Response.Write Mypage...
2
by: Arpan | last post by:
In my ASP application, a Session variable takes the following form <% Dim strRec,strCol strRec=Request.QueryString("records") strCol=Request.QueryString("columns") Session("RecCol")=strCol &...
4
by: MX1 | last post by:
Hi all, I've setup a table with one field that will hold percent values. The type is number and the format is percent on the field. When I do data entry directly into the field, I have to put...
1
by: Alan Lane | last post by:
Hello world: I'm having trouble finding how to escape the percent sign ("%") from a SQL query so that it will show up in an Access report. Here's my SQL string ... '--Build SQL String...
39
by: VidTheKid | last post by:
THE PROBLEM The % symbol is too vague when defining dimensions in CSS and HTML. It can relate to an inherited value, a measure of the containing element (which can differ between box models) or...
3
by: kiewicz | last post by:
I'm writing a function in managed C++ that takes three integer references as parameters. Passing 'ref int' from C# does not work. Is there an easy way to pass by reference from C# to C++? I...
13
by: stephen | last post by:
Hi all. How do I escape the "%" sign in a print statement so that it prints? Thanks. Stephen
2
by: 1qaz2wsx | last post by:
Hello reader, On my site i pass variables from one page to another, this is no problem. But when i'll get a string with a + or & sign for example this NE SO 1.1 + 1.2 string I will lose the +...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.