Basic Asp.net Question

[accelerator]

Hi Guys

I am trying to repair an old ASP.net script of mine. I have a rather basic question about retrieving querystring values in VB.net which seems more difficult than it should be. I am using:

Sub Page_Load(ByVal Sender As Object, ByVal e As EventArgs)

Dim strMerchantId As String = Request.QueryString("MerchantId")

End Sub

But when I try and display the output in the body of my HTML page, using this:

<%=strMerchantId%>

I get an error saying:

Compiler Error Message: BC30451: Name 'strMerchantId' is not declared.

I think this has something to do with the fact that the querystring is in the HttpRequest, and I've somehow got to get it from there to be made available to my page.

Can an expert shed any light?

Thanks

 

[monaghan]

Probably a variable scope issue as the variable is defined within the procedure, not in the same scope as you are using it.

 

[accelerator]

Thanks for your reply. Yes, I expect it's something like that. This is why I switched from ASP.net to PHP, as things in ASP.net always seem way more complicated than they need to be. However, it's an old script that I need to fix ...

 

[accelerator]

For anyone interested, solved for me at the ASP.net forums:

https://forums.asp.net/t/2060228.aspx?Request+QueryString+usage+in+VB+net

Thanks guys

 

[martin-s]

Typical scoping problem. If you declare a variable within a sub or function, you can only use it within a sub or function.

That goes for pretty much any programming language.

Want to use it globally? Declare it globally

 

[martin-s]

Or, just use <%=Request.QueryString("MerchantId")%> in line in the page.

Fully defined : System.Web.HttpContext.Current.Request.QueryString("blah")

You should be aware that you also need to handle null strings, etc. if the qs you want doesn't exist.

 

[Skinner]

I wouldn't use that example of inline code, I could inject anything into "merchantid" and gain access to your database even.

http://www.accsite.co.tld/merchant.php?merchantid=666; DROP ALL TABLES;

I wouldn't even trust a data given to me by god himself, even if he proved he was god by turning the atlantic into wine, and giving me a footlong instead of this massive thing

If I ain't looked into it, verified its what I expect it to be, and as long as I expected it to be, and the type I expect, its going no where.

 

[martin-s]

Yep, goes without saying. Dumping something out to the response isn't the same as putting it through a SQL connection though

 

[accelerator]

Thanks for the further comments. I will now be running a MySQL query using the querystring. The page is in a password protected admin area, but once I get the script going I probably will add some simple querystring validation.

 

[monaghan]

Take a look at prepared queries, you write the query with place holders and then pass in the data and runs the query which makes more secure.

 

[martin-s]

Google "SQL injection" to learn more about what you're up against.