hi, i want to send a data by using href. like this sample.aspx?data=14 but i don't know how to get this tada back on the other page? thanks
also, if you're using it to update/add data to a database, you might go ahead and cleanse your data to avoid sql injection. can be done in one line real easy - slight mod to ludwig's suggestion. strData = replace(Request("data"), "'", "''") if you're not updating/modifying/adding to a database, there's no need to double the apostrophes. VG
usually I replace all of the following: strData = trim(request("data")) strData = replace(strData, "&", "&") 'replacing with a Web Safe Numeric Character strData = replace(strData, "'", "'") 'not doubleing like VG said, but replacing with a WSNC strData = replace(strData, """", """) 'for SQL statement to work properly strData = replace(strData, vbCrLf, "<br>") 'if sending from a textarea field
Just a question that's mostly on-topic... How would you send data between pages without using a querystring? Like, if you needed to pass sensitive information from page to page, but didn't want people seeing it?
passing sensitive data is very crucial. use method="post" and combining the proper filters will somehow eliminate or atleast have a degree of security against sql injection, but still injection would be possible in the form elements u are using.
Also yesterday I had someone who wanted a job at my company and he used a very simepl method for protecting the data. What he did was very simple. When you click the submit button, a JavaScript code works which encodes the password character and only then sends the info to the LOGIN file. The login file decodes the characters encoded by JavaScript and then checks whetether it mathches the data or no Nice way, haven't thought about it before. Surely you'll have to use METHOD="POST"
i think it is also better to have a server side protection too, cause client side filtration can be bypass by removing the javascript in view source.
Oh my God, no! This is a piece of very bad advice. 1) it will only protect you against some kind of injections, others may be wide open, giving you a false sense of security. 2) the data will effectively be in a form where it can only be used for sql, i.e. not for display/calculations, if not converted back. 3) it is not portable. some database systems may allow/require other escaping mechanisms. I see where this is coming from: magic_quotes in PHP. That is a piece of cr&%&%/¤ language design, on par with register_globals. Do not do this. Never. Ever. And never advice anyone else to do it, unless you want to be able to hack into their site afterwards. Instead, use parameterized queries. They are guaranteed to protect against sql injections.
great suggestion benjymouse. you're right, parameterized queries are more secure. they're also difficult for the amateur to handle, especially someone who is amateur enough to not know how to pass/retrieve variables from page to page. Stored procedures are quite a bit more advanced to wrestle with, but there's no doubt about it - parameterized queries are the way to go if you can handle them. you wouldnt happen to have any links on-hand to some walkthroughs/guidelines on stored procedure handling/parameterized queries would ya? here's one that might help - if you've got others i'm sure they would benefit the DP community as well http://www.4guysfromrolla.com/webtech/111798-1.shtml later - VG