Hi is it possible to do the following?
<a href="/Reports/report.aspx?StartDate=<% Request.Params.Get("StartDate");
%>&EndDate=<% Request.Params.Get("EndDate"); %>">View analysis</a>
Thank you.
views:
48answers:
2
+2
A:
You can do this, HOWEVER, this could allow a malicious user to provide unexpected data to the parameter.
I would highly recommend scrubbing the data and ensuring that it is what you expect BEFORE putting it to the page.
Also believe the syntax needed for the start of the code block is <%= (Note the = sign)
Mitchel Sellers
2009-04-06 16:03:57
You're quite right about the Response.Write syntax, though both seem to work in many cases.
Cerebrus
2009-04-06 16:15:13
+1
A:
Sure, it is possible! You would need to resolve the quotes, first and secondly, you should be using the ASP.NET Response.Write syntax (<%=Expression%>):
<a href='/Reports/report.aspx?StartDate=<%= Request.Params.Get("StartDate"); %>&EndDate=<%= Request.Params.Get("EndDate"); %>'>View analysis</a>
But is it recommended? I would think not. Reasons may range from opening up potential security holes (allowing unchecked querystring data to be used) to plain readability issues to code separation. Remember, this is the way Classic ASP code was written before ASP.NET came along.
It would be much better to perform this logic in the code-behind after checking the querystring for valid values and assigning the NavigateUrl of an asp:HyperLink control.
Cerebrus
2009-04-06 16:12:24