Solved

Restrict ASP.net vb.net QueryString Text to Only Numbers or Commas

Posted on 2013-12-28
6
385 Views
Last Modified: 2014-01-04
Hello,

I am working on a page that can allow multiple product id's seperated by commas  and retrieve from the query string.  I have the code working but now I need to update it so that it will not take querystring parameters other than commas or numbers.

Can anyone tell me how I can update this one line of code so it only allows numbers and commas and nothing else?

strSelect = "SELECT Name, ShortName, ShortDescription, ImageSmallPath, uid, DateModified FROM dbo.Products WHERE uid IN (" + Request.QueryString("id") + ");"

If a regular expression is needed please let me know what imports or any other stuff is needed for the code to work.  I am hoping to do in as few lines as possible.

Thanks in advance,
Shawn
0
Comment
Question by:smower
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 19

Expert Comment

by:mrwad99
ID: 39743884
I wouldn't try and update the SQL; what I would do personally is store the result of Request.QueryString("id") in a separate string object, then call IsNumeric() on that to see if it really is numeric; if is isn't, redirect to some error page.
0
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 39743885
Do you understand how dangerous what you have shown is? Are you familiar with SQL Injection?
0
 

Author Comment

by:smower
ID: 39744238
Thank you. Won't the isnumeric block the commas. The commas are separators. I am planning on passing a list of comma separated values in as the query parameter so that multiple products can be looked up.  So the query string would be something like

234,347,123,568

The previous database I used had a filter values function where you could say (filtervalues; "0123456789,")

That way only those values would get through and other characters would be stripped out. Wouldn't the isnumeric come out false because of the comma seperators?

Does anyone have an example to simulate this filter and function on the one line of code?

Thank you
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 19

Expert Comment

by:mrwad99
ID: 39744942
Ah yes; in that case you will want to iterate each character in the string, seeing if it is either a comma or if IsNumeric() evaluates to true; you can pass each character to IsNumeric().  Here is some pseudo code:

For Each c As Char in strID
    ' Compare 'c' to comma and pass it to IsNumeric(); if either return false you have an invalid ID
Next

Open in new window

0
 

Accepted Solution

by:
smower earned 0 total points
ID: 39746380
Thanks,

I actually discovered this simple solution which seems to be working.
I had to add this namespace to use a regular expression.

<%@ Import Namespace="System.Text.RegularExpressions" %>
strSelect = "SELECT Name, ShortName, ShortDescription, ImageSmallPath, uid, DateModified FROM dbo.Products WHERE uid IN (" + Regex.Replace(Request.QueryString("id"), "[^0-9\,]", "") + ");"

That seems to be working.
0
 

Author Closing Comment

by:smower
ID: 39755823
In my testing it seems to work and seems to strip out unwanted characters.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Calculating holidays and working days is a function that is often needed yet it is not one found within the Framework. This article presents one approach to building a working-day calculator for use in .NET.
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question