20i Reseller Hosting

Basic Asp.net Question

Discussion in 'Scripts and Coding' started by accelerator, Jul 21, 2015.

Thread Status:
Not open for further replies.
  1. accelerator United Kingdom

    accelerator Well-Known Member

    Joined:
    Apr 2005
    Posts:
    7,461
    Likes Received:
    114
    Hi Guys

    I am trying to repair an old ASP.net script of mine. I have a rather basic question about retrieving querystring values in VB.net which seems more difficult than it should be. I am using:

    Code:
    Sub Page_Load(ByVal Sender As Object, ByVal e As EventArgs)
    
    Dim strMerchantId As String = Request.QueryString("MerchantId")
    
    End Sub
    
    But when I try and display the output in the body of my HTML page, using this:

    Code:
    <%=strMerchantId%>
    
    I get an error saying:

    Compiler Error Message: BC30451: Name 'strMerchantId' is not declared.

    I think this has something to do with the fact that the querystring is in the HttpRequest, and I've somehow got to get it from there to be made available to my page.

    Can an expert shed any light?

    Thanks
     
  2. Domain Forum

    Acorn Domains Elite Member

    Joined:
    1999
    Messages:
    Many
    Likes Received:
    Lots
    articles.co.uk
     
  3. monaghan United Kingdom

    monaghan Moderator Staff Member

    Joined:
    May 2007
    Posts:
    2,103
    Likes Received:
    70
    Probably a variable scope issue as the variable is defined within the procedure, not in the same scope as you are using it.
     
  4. accelerator United Kingdom

    accelerator Well-Known Member

    Joined:
    Apr 2005
    Posts:
    7,461
    Likes Received:
    114
    Thanks for your reply. Yes, I expect it's something like that. This is why I switched from ASP.net to PHP, as things in ASP.net always seem way more complicated than they need to be. However, it's an old script that I need to fix ...
     
  5. accelerator United Kingdom

    accelerator Well-Known Member

    Joined:
    Apr 2005
    Posts:
    7,461
    Likes Received:
    114
  6. martin-s United Kingdom

    martin-s Well-Known Member

    Joined:
    Jul 2012
    Posts:
    3,347
    Likes Received:
    226
    Typical scoping problem. If you declare a variable within a sub or function, you can only use it within a sub or function.

    That goes for pretty much any programming language.

    Want to use it globally? Declare it globally :)
     
  7. martin-s United Kingdom

    martin-s Well-Known Member

    Joined:
    Jul 2012
    Posts:
    3,347
    Likes Received:
    226
    Or, just use <%=Request.QueryString("MerchantId")%> in line in the page.

    Fully defined : System.Web.HttpContext.Current.Request.QueryString("blah")

    You should be aware that you also need to handle null strings, etc. if the qs you want doesn't exist.
     
  8. Skinner

    Skinner Well-Known Member

    Joined:
    Jul 2008
    Posts:
    4,658
    Likes Received:
    136
    I wouldn't use that example of inline code, I could inject anything into "merchantid" and gain access to your database even.

    Code:
    http://www.accsite.co.tld/merchant.php?merchantid=666; DROP ALL TABLES;
    I wouldn't even trust a data given to me by god himself, even if he proved he was god by turning the atlantic into wine, and giving me a footlong instead of this massive thing :p

    If I ain't looked into it, verified its what I expect it to be, and as long as I expected it to be, and the type I expect, its going no where.
     
  9. martin-s United Kingdom

    martin-s Well-Known Member

    Joined:
    Jul 2012
    Posts:
    3,347
    Likes Received:
    226
    Yep, goes without saying. Dumping something out to the response isn't the same as putting it through a SQL connection though :)
     
  10. accelerator United Kingdom

    accelerator Well-Known Member

    Joined:
    Apr 2005
    Posts:
    7,461
    Likes Received:
    114
    Thanks for the further comments. I will now be running a MySQL query using the querystring. The page is in a password protected admin area, but once I get the script going I probably will add some simple querystring validation.
     
  11. monaghan United Kingdom

    monaghan Moderator Staff Member

    Joined:
    May 2007
    Posts:
    2,103
    Likes Received:
    70
    Take a look at prepared queries, you write the query with place holders and then pass in the data and runs the query which makes more secure.
     
  12. martin-s United Kingdom

    martin-s Well-Known Member

    Joined:
    Jul 2012
    Posts:
    3,347
    Likes Received:
    226
    Google "SQL injection" to learn more about what you're up against.
     
Thread Status:
Not open for further replies.