Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
SamC
White Water Yakist
3467 Posts |
 Posted - 2003-02-13 : 10:13:10
|
| I have an ASP page the displays a report based on an SQL query passed in a query string using ASP's response.redirectOne technique to avoid sql injection would be to encrypt the querystring. This may be my best option, I'd like to consider other possabilities if any exist. Is there any other secure method to redirect to another page perhaps passing data using a POST method? Remember, this is a server asp to server asp redirection. I don't know of any way to POST other than client side FORM submission.Sam |
|
|
joldham
Wiseass Yak Posting Master
300 Posts |
Posted - 2003-02-13 : 11:12:24
|
Sam,I am not 100% sure on this, but I believe there is a Server.Transfer method that can be used specifically for the purpose of transferring process from one server page to another server page. I have never used it, but it should be just like response.redirect except it executes on the server. The following was taken from the link below:quote:
In addition, all of the current contents for the request collections will be available to the .asp file receiving the transfer
Therefore, you do not event need to create a querystring. Simply Server.Transfer(New Page)[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iisref/html/psdk/asp/vbob9waa.asp[/url]Hope this helps!  JeremyEdited by - joldham on 02/13/2003 11:13:29 |
 |
|
|
SamC
White Water Yakist
3467 Posts |
Posted - 2003-02-13 : 16:58:37
|
| I've never seen the server.transfer. It's good to know and I guess if I were to save the context in a hidden field it would be the method of choice.I hadn't thought of it when I started this thread, but the querystring specifies a context that's needed. I'm going to look into encryption techniques. A little searching turned up the following link:[url]http://www.4guysfromrolla.com/webtech/110599-1.shtml[/url]It's a starting point for further reading and testing.About 6 months ago, I know I posted somewhere on SQLTEAM that I'd have all my ASP rewritten in .NET by now. NSL unfortunately. It seems further off today than it did then. That .NET datagrid seems so far off.On another subject, can anyone recommend a good ASP datagrid-like control?Sam |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2003-02-13 : 17:04:35
|
There was one called "ASP datagrid"  I think it was pretty popular. I've never used it, I am too much of a stubborn "I'll write my own" kinda guy  Damian |
|
|
|
scullee
Posting Yak Master
103 Posts |
Posted - 2003-02-13 : 18:09:35
|
| Just remember that server.transfer only came in in IIS 5 so if you are still running NT4 on the server you cant use it. |
|
|
|
SamC
White Water Yakist
3467 Posts |
Posted - 2003-02-13 : 18:35:36
|
| I found [url]http://www.xpandtools.com/[/url]If it's easy enough, I'll toss together a trial page. Sometimes the learning curve kills projects like this.I'm pretty enthusiastic about the encrypted query string however. I ought to have it implemented before I sleep tonight. Probably means 2AM !Damian - what time is it down under ? Pretty early there isn't it?Sam |
|
|
|
|
|
|
|
|
Secure Method to pass SQL Query in ASP