asp:QueryStringParameter and empty query string parameter

Asked 21/4, 2010 at 22:39 Answered 21/4, 2010 at 23:10

Solved asp.net .net sql-server sqldatasource querystringparameter

I haveasp:GridView displaying client requests using asp:SqlDataSource. I want to limit displayed information by client:

View.aspx has to display everything, View.aspx?client=1 has to display only requests from client ID #1.

So I'm using <asp:QueryStringParameter Name="client" QueryStringField="client" /> for query "EXEC getRequests @client".

Everything works properly when some client is specified. But don't - if not.

I tested my SP using SSMS - it works properly in both cases - when parameter is specified and when it isn't (NULL passed explicitly).

What have I do?

Thaumaturgy answered 21/4, 2010 at 22:39 Comment(4)

Looks like you're opening yourself up to some pretty serious SQL injection attack vectors with this approach. – Siliqua 21/4, 2010 at 22:41

@womp: How am I opening? QueryStringParameter is being added in code-behind only for users with appropriate rights and after a number of checks. – Thaumaturgy 21/4, 2010 at 22:43

AH, if you're sanitizing it, then that's fine. It just looked from your question like you were using it directly. – Siliqua 21/4, 2010 at 22:43

@womp: I take only client ID (int) and pass it to SP. I'm sure this is safe to do. I don't do silly things like "SELECT ... WHERE ID=" + Request["client"] :) – Thaumaturgy 21/4, 2010 at 22:46

SqlDataSource won't fire if any of it's parameters are null, unless you specify otherwise:

<asp:SqlDataSource CancelSelectOnNullParameter="False" />

It might also be necessary to add a null default value to your querystring parameter:

<asp:QueryStringParameter Name="client" QueryStringField="client" DefaultValue="" ConvertEmptyStringToNull="True" />

Ziwot answered 21/4, 2010 at 23:10 Comment(2)

Thank you very much! First option does what I need. – Thaumaturgy 21/4, 2010 at 23:31

That's a a really awkward default (i.e. it should fire with NULL params by default). I'm pretty sure NULL params to indicate 'everything' are very common. – Bronchia 6/8, 2014 at 1:28

You need to define a Default value to the parameter for those situations, for example:

<asp:QueryStringParameter Name="client" QueryStringField="client" DefaultValue="0"/>

and then in the SP you need verify if the client is 0, return all the clients, otherwise the specific one.

Marrilee answered 21/4, 2010 at 22:45 Comment(5)

Is it possible to set default value to NULL (DBNull.Value) ? – Thaumaturgy 21/4, 2010 at 22:53

Hmm i dont think so. But is there a reason to use NULL instead of 0, -1 or something else? – Marrilee 21/4, 2010 at 22:54

For NULL it's easy to use SQL built-in function ISNULL(,). Values like 0 or -1 required additional CASE-WHEN-THEN statement into query – Thaumaturgy 21/4, 2010 at 23:9

With this url "View.aspx?client=" i think the parameter is automaticly converted to null, because its empty. Try this and give some feedback, – Marrilee 21/4, 2010 at 23:13

Thank you for your participation! :) Problem is solved. See below – Thaumaturgy 21/4, 2010 at 23:32

Recommended topics

Hot tags