Validating data source control parameters

About

I'm Mike Pope. I live in the Seattle area. I've been a technical writer and editor for over 35 years. I'm interested in software, language, music, movies, books, motorcycles, travel, and ... well, lots of stuff.

Read more ...

Blog Search

(Supports AND)

Include comments

Feed

Subscribe to the RSS feed for this blog.

See this post for info on full versus truncated feeds.

Quote

When doing botanical work in South America, steer clear of the monkeys: They will throw sticks at you with surprising accuracy.

— Botanist, Tricks of the Trade

[ view all quotations ]

Navigation

[ home ]

January 2025

25 Most-Visited Entries

1. THE most basic way to implement ASP.NET Razor security
2. Fun (or not) with noun stacks
3. Rendering HTML as HTML in Razor
4. Using the confirmation feature for ASP.NET Web Pages security
5. Changing the headlight on a 2010 Honda Shadow Phantom
6. RSS feed truncation: reader's choice
7. When in English, do like English
8. Constructing site URLs in ASP.NET Razor
9. Dude, where's my Razor API ref?
10. WebMatrix Beta 2 tip: why can't I use helpers?
11. Documenting ASP.NET Razor
12. Anniversaries in IT
13. Tech review tips and strategies (Part 1)
14. Moving a website in WebMatrix
15. Finding the right trousers
16. Blog update: Added a Facebook Like button
17. How Feynman learned to crack a safe
18. Blog feed fixed, oops
19. Moving the blog
20. Blog move successful (?)
21. Geopolitical concerns and the 4 fingers of ... change
22. Theory And Practice Of Editing New Yorker Articles [Selections]
23. Each unique different kind of its own
24. Well, THAT happened
25. SME + training doth not (necessarily) a writer make

Categories

RSS
RSS aspnet
RSS blog
RSS books
RSS editing
RSS family
RSS Friday words
RSS FridayFun
RSS funny
RSS general
RSS history
RSS house
RSS language
RSS motorcycles
RSS movies
RSS MS Word
RSS music
RSS personal
RSS politics
RSS readings
RSS roundup
RSS seattle
RSS teaching
RSS technology
RSS travel
RSS ukulele
RSS webmatrix
RSS whidbey
RSS work
RSS writing

Contact Me

Email me

Blog Statistics

Dates
First entry - 6/27/2003
Most recent entry - 9/4/2024

Totals
Posts - 2655
Comments - 2677
Hits - 2,721,674

Averages
Entries/day - 0.34
Comments/entry - 1.01
Hits/day - 346

Updated every 30 minutes. Last: 9:25 AM Pacific

Validating data source control parameters

Thursday, 9 March 2006 11:50 PM

The redoubtable Eilon Lipton came up with another nice nugget of data-source-control goodness in answer to a question at work today. Here's the scenario. You are using a SqlDataSource control to run a query like this:

Select FirstName, LastName From Employees Where EmployeeId = ?

(Here, the EmployeeId field is an integer.) You want to be able to pass the EmployeeId to the SqlDataSource control directly from the query string. No problem; the data source configuration wizard walks you right through setting that up. It ends up looking something like this:

<asp:SqlDataSource ID="SqlDataSource1" runat="server" 
   ConnectionString="<%$ ConnectionStrings:EmployeesConnectionString %>"
   SelectCommand="SELECT [FirstName], [LastNamee] FROM [Employees] 
      WHERE ([EmployeeID] = @EmployeeID)">
   <SelectParameters>
      <asp:QueryStringParameter Name="BlogID" 
         QueryStringField="ID" Type="Int32" /> 
   </SelectParameters>
</asp:SqlDataSource>

But what if someone (those darn users) passes in a query string value that's not an integer? You get one of those "Input string not in correct format" errors.

So you want to validate that the query string value is an integer. You can do this by handling the SqlDataSource control's Selecting event. There, you can extract the parameter value, test it, and cancel the event (and thus the query) if something's awry. Here's one way you might check that the query string value is an integer (or integer-able, anyway):

Protected Sub SqlDataSource1_Selecting(ByVal sender As Object, _
      ByVal e As System.Web.UI.WebControls.SqlDataSourceSelectingEventArgs)
   Dim idString As String = e.Command.Parameters(0).Value.ToString()
   Dim id As Integer
   If Int32.TryParse(idString, id) = False Then
      labelStatus.Text = "Invalid ID in query string"
      e.Cancel = True
   End If
End Sub

Pretty straightforward, eh? Problem is that it doesn't work. Or more precisely, even with this handler, you'll still see the invalid-format error.

Eilon had the workaround: in the declaration for the SqlDataSource control's parameter collection, leave the data type blank. So it looks like this:

<SelectParameters>
   <asp:QueryStringParameter Name="BlogID" 
      QueryStringField="ID"  /> 
</SelectParameters>

Look, ma, no data type. And now it works. Note that we're converting the EmployeeID to an integer in the Selecting handler, so the type is ok when the query ultimately runs. But if the parameter declaration has no type, the SqlDataSource control won't try to force the parameter value into a particular type, and no error.

[categories] aspnet, whidbey

comment [9] | link

mike's web log