sending data between pages?

hi, i want to send a data by using href. like this sample.aspx?data=14 but i don't know how to get this tada back on the other page? thanks

 

Request.QueryString["data"]

 

strData = Request("data")

 

also, if you're using it to update/add data to a database, you might go ahead and cleanse your data to avoid sql injection. can be done in one line real easy - slight mod to ludwig's suggestion.

strData = replace(Request("data"), "'", "''")

if you're not updating/modifying/adding to a database, there's no need to double the apostrophes.

VG

 

usually I replace all of the following:

strData = trim(request("data"))
strData = replace(strData, "&", "&") 'replacing with a Web Safe Numeric Character
strData = replace(strData, "'", "'") 'not doubleing like VG said, but replacing with a WSNC
strData = replace(strData, """", """) 'for SQL statement to work properly
strData = replace(strData, vbCrLf, "<br>") 'if sending from a textarea field

 

Just a question that's mostly on-topic... How would you send data between pages without using a querystring? Like, if you needed to pass sensitive information from page to page, but didn't want people seeing it?

 

use method="post" and not get

 

also, if you used method = "post", you would use request.form to retrieve the data.

 

I think we did greate with VG on this.

Good luck

 

passing sensitive data is very crucial. use method="post" and combining the proper filters will somehow eliminate or atleast have a degree of security against sql injection, but still injection would be possible in the form elements u are using.

 

Also yesterday I had someone who wanted a job at my company and he used a very simepl method for protecting the data.

What he did was very simple. When you click the submit button, a JavaScript code works which encodes the password character and only then sends the info to the LOGIN file. The login file decodes the characters encoded by JavaScript and then checks whetether it mathches the data or no

Nice way, haven't thought about it before.

Surely you'll have to use METHOD="POST"

 

i think it is also better to have a server side protection too, cause client side filtration can be bypass by removing the javascript in view source.

 

Oh my God, no! This is a piece of very bad advice.

1) it will only protect you against some kind of injections, others may be wide open, giving you a false sense of security.
2) the data will effectively be in a form where it can only be used for sql, i.e. not for display/calculations, if not converted back.
3) it is not portable. some database systems may allow/require other escaping mechanisms.

I see where this is coming from: magic_quotes in PHP. That is a piece of cr&%&%/¤ language design, on par with register_globals.

Do not do this. Never. Ever. And never advice anyone else to do it, unless you want to be able to hack into their site afterwards.

Instead, use parameterized queries. They are guaranteed to protect against sql injections.

 

Man I have been using the replace method for quite a while and no problems I had till now

 

great suggestion benjymouse. you're right, parameterized queries are more secure. they're also difficult for the amateur to handle, especially someone who is amateur enough to not know how to pass/retrieve variables from page to page. Stored procedures are quite a bit more advanced to wrestle with, but there's no doubt about it - parameterized queries are the way to go if you can handle them. you wouldnt happen to have any links on-hand to some walkthroughs/guidelines on stored procedure handling/parameterized queries would ya? here's one that might help - if you've got others i'm sure they would benefit the DP community as well

http://www.4guysfromrolla.com/webtech/111798-1.shtml

later -

VG