Restrict ASP.net vb.net QueryString Text to Only Numbers or Commas

Hello,

I am working on a page that can allow multiple product id's seperated by commas  and retrieve from the query string.  I have the code working but now I need to update it so that it will not take querystring parameters other than commas or numbers.

Can anyone tell me how I can update this one line of code so it only allows numbers and commas and nothing else?

strSelect = "SELECT Name, ShortName, ShortDescription, ImageSmallPath, uid, DateModified FROM dbo.Products WHERE uid IN (" + Request.QueryString("id") + ");"

If a regular expression is needed please let me know what imports or any other stuff is needed for the code to work.  I am hoping to do in as few lines as possible.

Thanks in advance,
Shawn
smowerAsked:
Who is Participating?
 
smowerAuthor Commented:
Thanks,

I actually discovered this simple solution which seems to be working.
I had to add this namespace to use a regular expression.

<%@ Import Namespace="System.Text.RegularExpressions" %>
strSelect = "SELECT Name, ShortName, ShortDescription, ImageSmallPath, uid, DateModified FROM dbo.Products WHERE uid IN (" + Regex.Replace(Request.QueryString("id"), "[^0-9\,]", "") + ");"

That seems to be working.
0
 
mrwad99Commented:
I wouldn't try and update the SQL; what I would do personally is store the result of Request.QueryString("id") in a separate string object, then call IsNumeric() on that to see if it really is numeric; if is isn't, redirect to some error page.
0
 
käµfm³d 👽Commented:
Do you understand how dangerous what you have shown is? Are you familiar with SQL Injection?
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

 
smowerAuthor Commented:
Thank you. Won't the isnumeric block the commas. The commas are separators. I am planning on passing a list of comma separated values in as the query parameter so that multiple products can be looked up.  So the query string would be something like

234,347,123,568

The previous database I used had a filter values function where you could say (filtervalues; "0123456789,")

That way only those values would get through and other characters would be stripped out. Wouldn't the isnumeric come out false because of the comma seperators?

Does anyone have an example to simulate this filter and function on the one line of code?

Thank you
0
 
mrwad99Commented:
Ah yes; in that case you will want to iterate each character in the string, seeing if it is either a comma or if IsNumeric() evaluates to true; you can pass each character to IsNumeric().  Here is some pseudo code:

For Each c As Char in strID
    ' Compare 'c' to comma and pass it to IsNumeric(); if either return false you have an invalid ID
Next

Open in new window

0
 
smowerAuthor Commented:
In my testing it seems to work and seems to strip out unwanted characters.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.