Results 1 to 5 of 5
  1. #1
    5 Star Lounger
    Join Date
    Jan 2001
    Location
    austin, Texas, USA
    Posts
    1,029
    Thanks
    0
    Thanked 0 Times in 0 Posts

    weird issue with request.form('element') and %

    Using VS2008, ASP.NET, framework 2 +

    I am trying to build out an app that polls form elements to prep for SQL and want to append % to the value of the form elements so that the SQL will default to "starts with" behavior. i can get this sort of thing:

    < input type="hidden" name="cs_CompanyName" value="acme%" />

    But the ASP, say

    Response.Write("This is what I got: " & Request.Form("cs_CompanyName"))

    just echos acme...look ma, no percentage signs!

    ?? don't get this one. i tried doubling the % in a vain attempt of escaping the char. the code that builds the input form fields uses Chr(37) as well.

    But the form field definately pretends that a % is tacked on to the field value, so much puzzlement has ensued.

    Let me know if you need any further details, etc.

    TIA

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: weird issue with request.form('element') and %

    ASP.Net might include a filter that strips certain characters that could be useful in a SQL injection attack. Can you add the % on the server side after the post, or should it be up to the user? In one ASP (Classic) form, I provide radio buttons for "exact" or "anywhere in the name" and use that selection to form the query. To save a step for the user, the form submits when the user clicks the desired radio button.

  3. #3
    5 Star Lounger
    Join Date
    Jan 2001
    Location
    austin, Texas, USA
    Posts
    1,029
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: weird issue with request.form('element') and %

    the filter idea makes some sense. i wonder if it's documented anywhere? On the other hand, if .NET is discarding %'s, then why would it do so in a non-SQL string related thing like Response.Write? So it still doesn't make a whole lot of sense to me.

    The reason I am doing what I am doing is:

    1. Trying to run queries thru stored procs for display in DataGrid
    2. Want to allow the user to do things like value (strict), value@ or @value@ depending on selection
    3. I don't want the user to have to enter those @'s
    4. On some fields, value+@ is required (due to NVARCHAR's in the source data)

    From what i can see, the DataGrid control, if it runs off a stored proc, loads the input variable by executing

    <SelectParameters>
    <asp:FormParameter FormField="cs_CompanyName" Name="Name" Type="String" />
    </SelectParameters>

    and i have to append the @ to the entered FormField in some intermediary step. I am currently using server.transfer to avoid query strings and was happy to get the hidden form field values to pass using that technique, but the dropped @'s are annoying, to say the least.

    Of course, all this may end up being a non-issue if I can do what I need to using dynamic SQL rather than stored procs. I have not asked about that but in generally dynamic SQL is frowned upon, so I am trying to be nice <img src=/S/anigrin.gif border=0 alt=anigrin width=19 height=19>

    Well, will keep pluggin' along

  4. #4
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: weird issue with request.form('element') and %

    Another thought. Let's assume that your hidden input is posted with URL encoding. % probably is not legal in that context with nothing after it. Try %25 in your input (the URL encoding for %).

  5. #5
    5 Star Lounger
    Join Date
    Jan 2001
    Location
    austin, Texas, USA
    Posts
    1,029
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: weird issue with request.form('element') and %

    actually i believe my problem was with myself, not the code... i was assuming something that is not correct.

    What I have is a form with the submit button. since this is .NET, i used code behind on the submit button OnClick event to implement an attempt to append % to the values in the form field and pass a host of input type = "hidden" form fields to another .aspx page. what I wanted to do, hence thought i was doing, was to read the values from the hidden fields on that second page using request or request.form, but of course I am reading the referring form input values, not the hidden values. I'd have to add another page to get that to work. so, user error. the mystery was between my ears the entire time...

    Currently I am working towards a solution using stored procs and there may be ways to insert the %'s in the stored proc side. that part of the puzzle is actually a little more important as I am essentially trying to construct a dynamic WHERE clause.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •