From: gerryR on
Hi All

i have a simple aspx page (vb) that pulls info out of an excel sheet. I'm
trying to pass a condition through a link to narrow down the results.
Basically we have 4 areas and rether than have 4 seperate pages I'd like to
have 4 links instead.

At the min my link is

contacts.aspx?area=north

But my problem is ho do I get that area into my sql statement.

I've tried creating a function in my code behind to return the area

Function passCondition()
Dim link As String
link = Request.QueryString("area")
Return link
End Function

An then pass that function into my sql command in the asp page

SelectCommand="SELECT * FROM [range] Where Province=passCondition()">

But all to no avail, I've tried multiple variations of that and several
alternatives but nothing.

As you can prob tell I'm failry new to all this so really appreciate a point
in the right direction.

Many thanks
gR


From: Paul Shapiro on
"gerryR" <gerryr(a)SPMANOgerryr.com> wrote in message
news:eHcp9wbxKHA.2436(a)TK2MSFTNGP04.phx.gbl...
> i have a simple aspx page (vb) that pulls info out of an excel sheet. I'm
> trying to pass a condition through a link to narrow down the results.
> Basically we have 4 areas and rether than have 4 seperate pages I'd like
> to have 4 links instead.
>
> At the min my link is
>
> contacts.aspx?area=north
>
> But my problem is ho do I get that area into my sql statement.
>
> I've tried creating a function in my code behind to return the area
>
> Function passCondition()
> Dim link As String
> link = Request.QueryString("area")
> Return link
> End Function
>
> And then pass that function into my sql command in the asp page
>
> SelectCommand="SELECT * FROM [range] Where Province=passCondition()">
>
> But all to no avail, I've tried multiple variations of that and several
> alternatives but nothing.

If you look at your SelectCommand in the debugger you'll see that the text
is exactly as you show it above, with passCondition() as literal text. You
need to concatenate your condition, and include the text delimiters:
SelectCommand="SELECT * FROM [range] Where Province='" + passCondition() +
"'"

You should also lookup command parameters, because concatenating free text
into a sql statement opens your application to serious sql injection
security vulnerabilities.

From: Mr. Arnold on
gerryR wrote:
> Hi All
>
> i have a simple aspx page (vb) that pulls info out of an excel sheet. I'm
> trying to pass a condition through a link to narrow down the results.
> Basically we have 4 areas and rether than have 4 seperate pages I'd like to
> have 4 links instead.
>
> At the min my link is
>
> contacts.aspx?area=north
>
> But my problem is ho do I get that area into my sql statement.
>
> I've tried creating a function in my code behind to return the area
>
> Function passCondition()
> Dim link As String
> link = Request.QueryString("area")
> Return link
> End Function
>
> An then pass that function into my sql command in the asp page
>
> SelectCommand="SELECT * FROM [range] Where Province=passCondition()">
>
> But all to no avail, I've tried multiple variations of that and several
> alternatives but nothing.
>
> As you can prob tell I'm failry new to all this so really appreciate a point
> in the right direction.
>
> Many thanks
> gR
>
>

Why don't you do this?

private dim link as string at the top of the class.

In the page_load method, you do the Querystring to set "link" to the
queried value.

Then just use the "link" variable which can be seen by all methods of
the class.



From: gerryR on
Thanks all, ended up adding a querystring to the sql command

Thanks again for the help
gR


"gerryR" <gerryr(a)SPMANOgerryr.com> wrote in message
news:eHcp9wbxKHA.2436(a)TK2MSFTNGP04.phx.gbl...
> Hi All
>
> i have a simple aspx page (vb) that pulls info out of an excel sheet. I'm
> trying to pass a condition through a link to narrow down the results.
> Basically we have 4 areas and rether than have 4 seperate pages I'd like
> to have 4 links instead.
>
> At the min my link is
>
> contacts.aspx?area=north
>
> But my problem is ho do I get that area into my sql statement.
>
> I've tried creating a function in my code behind to return the area
>
> Function passCondition()
> Dim link As String
> link = Request.QueryString("area")
> Return link
> End Function
>
> An then pass that function into my sql command in the asp page
>
> SelectCommand="SELECT * FROM [range] Where Province=passCondition()">
>
> But all to no avail, I've tried multiple variations of that and several
> alternatives but nothing.
>
> As you can prob tell I'm failry new to all this so really appreciate a
> point in the right direction.
>
> Many thanks
> gR
>


From: gerryR on

"Paul Shapiro" <paul(a)hideme.broadwayData.com> wrote in message
news:OsJobYcxKHA.4240(a)TK2MSFTNGP06.phx.gbl...
> "gerryR" <gerryr(a)SPMANOgerryr.com> wrote in message
> news:eHcp9wbxKHA.2436(a)TK2MSFTNGP04.phx.gbl...
>> i have a simple aspx page (vb) that pulls info out of an excel sheet.
>> I'm trying to pass a condition through a link to narrow down the results.
>> Basically we have 4 areas and rether than have 4 seperate pages I'd like
>> to have 4 links instead.
>>
>> At the min my link is
>>
>> contacts.aspx?area=north
>>
>> But my problem is ho do I get that area into my sql statement.
>>
>> I've tried creating a function in my code behind to return the area
>>
>> Function passCondition()
>> Dim link As String
>> link = Request.QueryString("area")
>> Return link
>> End Function
>>
>> And then pass that function into my sql command in the asp page
>>
>> SelectCommand="SELECT * FROM [range] Where Province=passCondition()">
>>
>> But all to no avail, I've tried multiple variations of that and several
>> alternatives but nothing.
>
> If you look at your SelectCommand in the debugger you'll see that the text
> is exactly as you show it above, with passCondition() as literal text. You
> need to concatenate your condition, and include the text delimiters:
> SelectCommand="SELECT * FROM [range] Where Province='" + passCondition() +
> "'"
>
> You should also lookup command parameters, because concatenating free text
> into a sql statement opens your application to serious sql injection
> security vulnerabilities.

Hi Paul

just on your point about sql injection security issue, are the chances of
this also increased when using text in your SQL statements or is this
particular issue only related when concatenating?

I ask as they are now looking for 4 seperate pages so if plain text isn't a
problem I'll just use

SELECT * FROM [range] Where Province="north"
SELECT * FROM [range] Where Province="south"
etc

Or am I still better to use parameters

SELECT * FROM [range] Where Province=(a)province

Many thanks
gR