Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASP & Javascript & Passing values in querystring

Status
Not open for further replies.
Lbob

Lbob

Programmer
May 23, 2003
157
GB
Hi

I'm trying to pass through a string in the querystring and I can't work out how to pass through a string with & or ' in it!!

This is what I've got and it's not working! Please help

Response.Write &quot;<a href=&quot;&quot;javascript://&quot;&quot; ONCLICK=&quot;&quot;window.open('popup.asp?Action=Edit&ID=&quot; &_
rs(&quot;ID&quot;) & &quot;&Name=&quot; & rs(&quot;Name&quot;) & &quot;', 'newwindow', config='height=250,width=400,left=700,top=200,&quot; &_
&quot;toolbar=no, menubar=no,&quot; &_
&quot;scrollbars=no, resizable=yes,location=no, directories=no, status=no')&quot;&quot;>&quot; & rs(&quot;Name&quot;) & &quot;</a>&quot;
 
Sort by date Sort by votes
Try this way, should be more visible
<%
'asp code here
%>
<a href=&quot;javascript:void(0)&quot; ONCLICK=&quot;window.open('popup.asp?Action=Edit&ID=<%=rs(&quot;ID&quot;)%>&Name=<%=rs(&quot;Name&quot;)%>', 'newwindow','height=250,width=400,left=700,top=200,toolbar=no, menubar=no, scrollbars=no, resizable=yes, location=no, directories=no, status=no')&quot;><%=rs(&quot;Name&quot;) </a>
<%
'asp code here
%>

________
George, M
 
Upvote 0 Downvote
don't suppose it's possible to use Request.Form and store them in hidden html variables?

-kaht
 
Upvote 0 Downvote
you could use onclick form1.submit and use hidden form variables posted to the new page...

on popup.asp you would add request.form(&quot;action&quot;) and request.form(&quot;ID&quot;)


or you could use:
&quot;popup.asp?action=Edit&ID=<%=rs(&quot;ID&quot;)%>&Name=<%=rs(&quot;NAME&quot;)%>&quot;

each new querystring variable must have an ampersand as an indicator of additional querystring values.


see below:

<a href=&quot;javascript:void(0)&quot; ONCLICK=&quot;window.open(popup.asp?action=Edit&ID=<%=rs(&quot;ID&quot;)%>&Name=<%=rs(&quot;NAME&quot;)%>', 'newwindow','height=250,width=400,left=700,top=200,toolbar=no, menubar=no, scrollbars=no, resizable=yes, location=no, directories=no, status=no')&quot;>
 
Upvote 0 Downvote
the problem passing so much information in the querystring is it leaves you wide open for the hacker babies...

for instance, a page which is to edit the users information opens like the following.

edit.asp?name=Bob&ID=12

can easily be changed to

edit.asp?name=' or 1=1&ID=' or 1=1

it seems simple and stupid, however based on a simple query,

select * from table
where name = request.querystring(&quot;name&quot;)
and ID = request.querystring(&quot;ID&quot;)

yields one row of data
select * from table
where name = request.querystring(&quot;name&quot;) or 1=1
and ID = request.querystring(&quot;ID&quot;) or 1=1

yields your entire table.

Mother

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

penguinspeaks
  • Locked
  • Question
write HTML code within ASP line
Replies
1
Views
259
xwb
xwb
leifoet
  • Locked
  • Question
How to send HTML emails with ASP classic?
Replies
0
Views
237
leifoet
leifoet
penguinspeaks
  • Locked
  • Question
Return to current location on page after asp processes.
Replies
2
Views
190
penguinspeaks
penguinspeaks
how2trainyourdragon
  • Locked
  • Question
Request.Server variables blank for classic ASP
Replies
12
Views
468
GriffMG
GriffMG
leifoet
  • Locked
  • Question
Wrong code in a href ?
Replies
1
Views
169
leifoet
leifoet

Part and Inventory Search

Sponsor

Back
Top