Problem with sql query using Query String

Question

0.00/5 (No votes)

See more:

C#

string query="Select * from Products where CategoryID='" + Request.QueryString["ID"] + "' Or ProductID ='"+Request.QueryString["ID"]+"' or ProductName='"+Request.QueryString["Name"]+"'";

i am using the above query in productcatalog.aspx.

i am using this part (

C#

ProductName='"+Request.QueryString["Name"]+"'"

) to show the results of search using the a textbox entry and a button in some other page..

but i want to show the results by using like in sql query

like

C#

ProductName like '"+Request.QueryString["Name"]+"%'"

so if i write the query in this way:

C#

string query="Select * from Products where CategoryID='" + Request.QueryString["ID"] + "' Or CategoryID='" + Request.QueryString["ID"] + "' or ProductName LIKE '"+Request.QueryString["Name"]+"%'"

the result of the search will be correct but the other two Querystrings e.g

C#

CategoryID='" + Request.QueryString["ID"] + "'

and

C#

CategoryID='" + Request.QueryString["ID"] + "'

in sql query will not give desired results

Posted 20-Sep-11 2:02am

codegeekalpha

Add a Solution

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

jim lahey · Answer 1 · 2011-09-20T02:14:00

If CategoryID in your database is an integer, this won't work:

CategoryID='" + Request.QueryString["ID"] + "'

You won't need the single quotes.

CategoryID=" + Request.QueryString["ID"] + "

But seriously, the way you're building your query is SQL injection waiting to happen:

http://en.wikipedia.org/wiki/SQL_injection[^]

I'd seriously look at parameterizing your queries.

fjdiewornncalwe · Answer 2 · 2011-09-20T02:54:00

Please, please don't do it like this. Your code is screaming for a sql injection attack.
Read the Querystring arguments into separate variable and validate that the values fall in an acceptable range and apply defaults to them if they do not exist in the querystring. Then, once the variables are considered valid create your sql query variable from the sub components. Never, ever apply non validated user input into a query directly.

Abhinav S · Answer 3 · 2011-09-20T02:19:00

Solution 2

You can always debug your code, copy this query to the backend and then run it there.
It will help you get to the exact root of the problem.

Posted 20-Sep-11 2:19am

Abhinav S

Problem with sql query using Query String

3 solutions

Solution 1

Solution 3

Solution 2

Add your solution here

Preview 0