Home/ Questions/Q 6252535
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T13:49:19+00:00

Given the following URL: domain.com/page.aspx?id=123 How can I sanitize that query string value when

  • 0

Given the following URL:

domain.com/page.aspx?id=123

How can I sanitize that query string value when it is used on a Databound Control such as a repeaters SqlDataSource?

<asp:SqlDataSource ID="projectDataSource" runat="server" 
    ConnectionString="MyConnectionStrings" 
    SelectCommand="select foo from bar">
    <SelectParameters>
        <asp:QueryStringParameter 
            DefaultValue="0" 
            Name="idfromqs" 
            QueryStringField="id" 
            Type="Int32" />
    </SelectParameters>
</asp:SqlDataSource>

Such that ?id=asdf does not result in an error?

These similar questions have good answers, but none of them seem to quite match my problem

Note: This is an internal application that is limited to a small block of local ip address. I’m less worried about malicious sql injection and more about preventing less savvy users from seeming nasty error messages.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You could use the Selecting event of the SQLDataSource where you can check the querysting value. This event fires before the Select Method is called.

    protected void SqlDataSource1_Selecting(object sender, SqlDataSourceSelectingEventArgs e)
{
    SqlDataSource1.SelectParameters.Clear(); //Clear existing parameters
    // based on your check, you can pass the default value
    SqlDataSource1.SelectParameters["idfromqs"].DefaultValue = "Set Value here";

}
    • 0