Solved

QueryString Parameter Doubling

Posted on 2002-07-04
15
353 Views
Last Modified: 2006-11-17
THE SYSTEM

Our (internally developed) Client Management System(CMS) utilises a number of state maintenance techniques.  The main techniques used are:- storing information in a database; Hidden form variables; and QueryString variables.  Session variables are also used on a smaller scale for our shopping cart. In most cases, the information in these QueryStrings, Hidden form variables and Session variables are retrieved in the ASP page and used in SQL queries.

THE PROBLEM

In recent weeks we have been experiencing problems with CMS

Upon investigation of the Web Server logs, we noticed that the Querystrings attached to the URL's of  various ASP pages in CMS have been repeated eg.

1. cms/ClientModfy.asp?hidClientID=223 hidClientID=223

Or

2. cms/OrderEntry.asp?hidClientID=223&hidProductID=15 hidClientID=223&hidProductID=15

When this doubling up occurs there always seems to be a space placed after the QueryString parameters and then a repeat of the QueryString.

When these QueryString values are requested in the ASP page, the values that are retrieved is not what is expected:

Eg. Example 1 above -

Request.QueryString("hidClientID") will return  223 hidClientID=223

Example 2 above -

Request.QueryString("hidClientID") will return  223
Request.QueryString("hidProductID") will return  15 hidClientID=223, 15

Needless to say, this results in incorrect datatypes being used in the SQL Query which then results in the Web Server CPU maxing out.  

Once we became aware of what was happening, we automatically assumed we had made errors in the construction of the URL and QueryString in some of our ASP pages.  However, after going through all the pages with a fine tooth comb, we have not been able to find any errors in the construction of URL QueryStrings.

After a number of weeks investigation, this QueryString doubling occurs a number of times a day and seems to be completely random with no discernible pattern to the occurrences. An  ASP page will be accessed without a problem ie no doubling, then a minute later the same page will be accessed and the QueryString doubling will occur which causes the CPU to max out on the Web Server.  Once the CPU comes back to normal and the same page is then accessed, it is processed without any problems.

We have now resorted to band-aid measures and incorporated code to exit the user to the home page when this QueryString doubling occurs.  This however does not solve our problem in the long term.

Any advice or direction would be appreciated.
0
Comment
Question by:tonyski
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
15 Comments
 
LVL 23

Expert Comment

by:naveenkohli
ID: 7130970
are these QS being constructed dynamically or they are static in HREF tags.
if its maxing out your CPU then its pretty bad.
IS there any way that a client can enter URL with doubled QS values?
0
 

Author Comment

by:tonyski
ID: 7131019
In answer to your questions:
1. There are very few static/hardcoded QueryStrings.  Nearly all querystrings are created dynamically (database driven)

2. There is no way that a client can enter URLs.  All URL's are set by the script in the ASP pages and are associated with buttons or links.



0
 
LVL 1

Expert Comment

by:manshan
ID: 7131041
The first time u access the ASP page there is no problem and the processing is done.
The second time u try to access this ASP page the query string doubling problem starts.
during the first request may b ur storing some values in a session variable and/or hidden form fields and may be those values u r using to create your URL for the querystring.

do u think the values that ur storing in of these session variables and/or hidden form fields are causing this problem???

find out and post ur comments here.

Thanx
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 20

Expert Comment

by:Silvers5
ID: 7131095
check if you are not doubling the values as said especially in session variables... also try to set a value check on the queries..
like if you expect an integer then check:
if IsNumeric(request.querystring("ClientID")) then
...
else
'invalid string
end if

is it random or cyclitic? did you manage to reproduce the problem..?
can you post some code?
I'm sure it's related to a code issue..
0
 

Author Comment

by:tonyski
ID: 7131098
No, we've gone through that process already. I have double and triple checked all hidden form fields and made sure that they have all been named differently.

Session variables are only used on a couple of pages and these have been carefully named.  In any case, session variables are not used to construct URL QueryStrings in any of our ASP pages.  

Most of the QueryStrings are created by dynamically looping through resultsets from SQL database queries.  I have also triple checked that these have been coded correctly so that the URL and associated QueryString is constructed correctly.
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 7131108
maybe you're having duplicate records entered in the dataabse.. without a code we can't help.. it's like examinig a patient thru the phone..
0
 

Author Comment

by:tonyski
ID: 7131120
To Silvers5:-

I have now incorporated bandaid value checks, however there is still an underlying problem.  As stated previously, Session variables are not set as QueryString values. The problem is random and we have not been able to reproduce the problem.  Some code follows for your perusal.  The ASP file is an include file for a larger ASP page.  The code demonstrates how URL and QueryStrings are constructed. (for your info, the variable 'clientId' in the code snippet is set in the larger asp page that this file is contained in)

<%
     Dim objJobInfo
     Dim strJobSQL
     strLCS = "TD2"
     
     Response.Write "<TABLE BORDER=""0"" CELLPADDING=""3"" CELLSPACING=""1"" WIDTH=""100%"">" & vbCrLf
     Response.Write "<TR>" & vbCrlf
     Response.Write "<TH CLASS=TDH COLSPAN=8>Current Jobs</TH>" & vbCrLf
     Response.Write "</TR>" & vbCrlf
     Response.Write "<TR>" & vbCrlf
     Response.write "<TH CLASS=TDH>Date Created</TH>" & vbCrLf
     Response.Write "<TH CLASS=TDH>Job ID</TH>" & vbCrLf
     Response.Write "<TH CLASS=TDH>Product Name</TH>" & vbCrLf
     Response.Write "<TH CLASS=TDH>Problem Type</TH>" & vbCrLf
     Response.Write "<TH CLASS=TDH>Sub Type</TH>" & vbCrLf
     Response.Write "<TH CLASS=TDH>Status</TH>" & vbCrLf
     Response.Write "<TH CLASS=TDH>Assigned To</TH>" & vbCrLf
     Response.Write "<TH ALIGN=RIGHT CLASS=TDH><INPUT TYPE=BUTTON CLASS=TableButtons VALUE=""Add Job"" onClick=""javascript:window.open('../Jobs/JobAdd.asp?hidClientId=" & clientID & "','_self');""></TH>" & vbCrLf
     Response.Write "</TR>" & vbCrLf
     
     Set objJobInfo = Server.CreateObject("ADODB.Recordset")
     strJobSQL = "{CALL sp_JobDetails(" & clientID & ")}"
     objJobInfo.Open strJobSQL, dbConn, 1, 3
     
     Do While Not objJobInfo.EOF
          Response.Write "<TR>" & vbCrLf
          Response.Write "<TD CLASS=" & strLCS & ">" & objJobInfo("DateCreated") & "</TD>" & vbCrLf
          Response.Write "<TD CLASS=" & strLCS & ">" & objJobInfo("JobID") & "</TD>" & vbCrLf
          Response.Write "<TD CLASS=" & strLCS & ">" & objJobInfo("ProductName") & "</TD>" & vbCrLf
          Response.Write "<TD CLASS=" & strLCS & ">" & objJobInfo("ProblemType") & "</TD>" & vbCrLf
          Response.Write "<TD CLASS=" & strLCS & ">" & objJobInfo("ProblemSubType") & "</TD>" & vbCrLf
          Response.Write "<TD CLASS=" & strLCS & ">" & objJobInfo("Status") & "</TD>" & vbCrLf
          Response.Write "<TD CLASS=" & strLCS & ">" & objJobInfo("FullName") & "</TD>" & vbCrLf
          Response.Write "<TD ALIGN=RIGHT CLASS=" & strLCS & "><INPUT TYPE=BUTTON CLASS=TableButtons VALUE=Revise onClick=""javascript:window.open('../Jobs/JobModify.asp?hidClientId=" & clientID & "&hidJobId=" & objJobInfo("JobID") & "','_self');""</TD>" & vbCrLf
          Response.Write "</TR>" & vbCrLf
               
          objJobInfo.MoveNext
          If strLCS = "TD1" Then strLCS = "TD2" Else strLCS = "TD1"
     Loop
     
     Response.Write "</TABLE>" & vbCrLf
%>
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 7131141
what is the web server you are using?
are the erronous links coming from different client browser types?
0
 

Author Comment

by:tonyski
ID: 7131206
To Silvers5 -

The Web Server we are using is IIS4.

All system users are using either IE5.5 or IE6.0
0
 
LVL 9

Expert Comment

by:AlfaNoMore
ID: 7131455
Have you tried the most basic of fixes, shutting everything down and starting it all up again???
0
 
LVL 22

Expert Comment

by:CJ_S
ID: 7131504
No javascript code that loops through the links and changes / adds something?

No request.QueryString items you use and then re-add a certain value?

Are the log files set up to
1) store the full url
2) store the querystring

if so these items will show right after each other in the log file which you found above. I suggest you check that and eliminate that option instead of returning to code right away.

CJ
0
 
LVL 11

Expert Comment

by:mouatts
ID: 7132797
Put double quotes around ALL HTML Tag attributes eg VALUE="Revise" rather than revise.

Although the standards say these are optional it has long been a source of rather wacky problems because the browsers do not always get it right.

Secondly do all of your forms specify the POST method. Just that a while back I discovered that if GET was used (or the method omitted) and the volume of data within the form was too great it overwrote parts of the data in the request object. The effects of this appeared quite bizarre in that if you access a data item in one way (for example a response.write) you would see one thing but access it another way (eg within a calculation) and the results were different.

HTH
Steve
0
 

Author Comment

by:tonyski
ID: 7139079
CJ S - The log files are set up to store the full URL and QueryString.  As outlined previously, we can see when the problem occurs in the log files. We have tried to recreate the QueryString doubling but we have never been successful.  The problem occurs randomly and without pattern.

Mouatts - All our forms specify the POST method.

I will try the putting double quotes around all HTML tag attributes and let you know how it goes.

0
 

Accepted Solution

by:
SpideyMod earned 0 total points
ID: 8492226
PAQ'd and points refunded.  I have also removed the erroneous deletion ping.

SpideyMod
Community Support Moderator @Experts Exchange
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:   The Exchange of informatio…
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question