Why does Classic ASP Post a Multiple Select List with a space between values where ASP.Net doesn't?

Question

I have an old Classic ASP code such as:

<html>
<head></head>
<body>
<form action="test.asp" method="post" name="fname">
<select name="clients" size="3" multiple="multiple">
       <option value="5311" selected="selected">5311</option>
       <option value="9999" selected="selected">9999</option>
</select>
<input type="submit" value="test">
</form>
<%
dim clients
clients=Request.Form("clients")
Response.Write(clients)
%>
</body>
</html>

This outputs 5311, 9999 from the Request.Form object

If I put the same HTML in an ASP.Net app and read the Request.Form object it outputs 5311,9999.

Spot the difference, there is a space between the two.

Why is that? Is there a way I change it so it includes the space?

Thanks

Answer 1

It sounds like you might do a replace to create a part of a valid SQL statement. If that is what you're doing, it's a really really bad idea since an evil visitor can use this to run any SQL statements they like. A better idea, for both classic ASP and ASP.net is to do a split on comma and use CLng or Convert.ParseInt32 to convert to number and build the SQL statement using that.

Answer 2

I never noticed a difference in the way that Classic ASP and ASP.NET works in this regard, but the presence or absence of a space should not affect an IN clause. If you are currently just throwing the Request.Form value into a dynamically constructed SQL statement, you are potentially asking for trouble as has been pointed out. You should parameterise it:

http://www.mikesdotnetting.com/Article/116/Parameterized-IN-clauses-with-ADO.NET-and-LINQ