How to pass part of url as variable in c#? [duplicate]

Question

I have the following URL : http://localhost:52416/Controls/Support_Survey.aspx?GUID=4aa4caca-f5cb-11e2-b582-635fb56c00b9

I need to get the GUID from the URL as variable and pass it in the following stored procedure:

 database.InsertUpdate(String.Format("CALL spSurveyAnswer_Insert('{0}', '{1}','{2}');", selectValue1, txtFeedBack.Text, PassGUID_HERE));

Any idea please ??

Thanks in advance

Eeekk... SQL Injection alert! :-) Use parameters for a start! Then something like Request.Querystring["GUID"] — Belogix
– Belogix, Commented Jul 29, 2013 at 15:01
you could just count 36 characters backwards from the end and convert that to a guid, if you can be sure it's always at the end/same format — Jonesopolis
– Jonesopolis, Commented Jul 29, 2013 at 15:04
@Jonesy That's a terrible idea. Please, don't do that, ever. — cadrell0
– cadrell0, Commented Jul 29, 2013 at 15:06
how about a simple split function call on the URL the question is will you always have one ? in the url..if so then 2 lines of code can fix your problem in regards to returning the GUID as a Param let me know if you would like to see a simple example — MethodMan
– MethodMan, Commented Jul 29, 2013 at 15:16
@DJKRAZE: There's built in functions to get parameters out of the query string... — Colin DeClue
– Colin DeClue, Commented Jul 29, 2013 at 16:06

Trevor Pilley · Accepted Answer · 2013-07-29 15:27:04Z

Here's how I would recommend you do it:

var requestGuid = Request.Params["GUID"];

if (string.IsNullOrEmpty(requestGuid))
{
    throw new InvalidOperationException("The request GUID is missing from the URL");
}

Guid guid;

if (!Guid.TryParse(requestGuid, out guid))
{
    throw new InvalidOperationException("The request GUID in the URL is not correctly formatted");
}

using(var connection = new SqlConnection("connection_string"))
{
    using(var command = new SqlCommand("spSurveyAnswer_Insert", connection))
    {
        command.CommandType = CommandType.StoredProcedure;        
        command.Parameters.AddWithValue("firstParamName", selectValue1);
        command.Parameters.AddWithValue("feedbackParamName", txtFeedBack.Text);
        command.Parameters.AddWithValue("guidParamName", guid);

        command.Connection.Open();
        command.ExecuteNonQuery();
    }
}

You can't guarantee that the GUID will be in the URL OR be a valid GUID so be defensive and check for both! Then use parameterised queries to help prevent SQL injection - since you are calling a stored procedure, you can still have sql injection if you misuse the parameter values inside the proc so you need to write that carefully too. Finally, also dispose of disposable resources properly.

Tim S. · Accepted Answer · 2013-07-29 15:26:33Z

You should use the Request's Params or QueryString (see their documentations to understand the difference) to get the GUID, and for security reasons you should use parameters in all SQL commands and queries, instead of string concatenation/formatting. I'm using the simplified syntax allowed by CommandType.StoredProcedure. The parameter names ("firstParamName", etc.) should match the actual parameter names declared in your stored procedure.

Guid myGuid = new Guid(Request.Params["GUID"]);

using (SqlConnection conn = // get connection)
using (SqlCommand command = new SqlCommand("spSurveyAnswer_Insert", conn))
{
    conn.Open();
    command.CommandType = CommandType.StoredProcedure;

    command.Parameters.AddWithValue("firstParamName", selectValue1);
    command.Parameters.AddWithValue("feedbackParamName", txtFeedBack.Text);
    command.Parameters.AddWithValue("guidParamName", myGuid);

    command.ExecuteNonQuery();
}

Praveen · Accepted Answer · 2013-07-29 15:12:29Z

0

string url = "http://localhost:52416/Controls/Support_Survey.aspx?GUID=4aa4caca-f5cb-11e2-b582-635fb56c00b9";
string lastPart = url.Split('?').Last().Replace("GUID=",string.Empty);

your code is probe to SQL Injection, so use SqlCommand.Parameters Property

 SqlCommand command = // your sql command;
    database.InsertUpdate(String.Format("CALL spSurveyAnswer_Insert('{0}', '{1}','{2}');", @selectValue1, @txtFeedBack, @PassGUID_HERE));

    command.Parameters.AddWithValue("@selectValue1", selectValue1);
    command.Parameters.AddWithValue("@txtFeedBack", txtFeedBack.Text);
    command.Parameters.AddWithValue("@PassGUID_HERE", lastPart );

edited Jul 29, 2013 at 15:12

answered Jul 29, 2013 at 15:06

Praveen

56.7k35 gold badges137 silver badges169 bronze badges

9 Comments

MethodMan Over a year ago

command.Parameters.Add syntax should be command.Parameters.AddWithValue instead if you are wanting to use your answer

Trevor Pilley Over a year ago

Use Request.QueryString too, don't parse the url yourself! you'll end up with GUID=4aa4caca-f5cb-11e2-b582-635fb56c00b9 instead of 4aa4caca-f5cb-11e2-b582-635fb56c00b9

Praveen Over a year ago

@TrevorPilley Right. But I've used .Replace("GUID=",string.Empty); to get rid of GUID=. Thanks for pointing it out.

Trevor Pilley Over a year ago

@user1671639 which will only work until someone decides that they need another value in the url and it becomes GUID=4aa4caca-f5cb-11e2-b582-635fb56c00b9&Foo=Bar at which point your code breaks again!

MethodMan Over a year ago

user1671639 in order for your answer to work if you are not understanding why someone downvoted your answer, you would need to create the StoredProcedure on the Server and call the stored procedure based on your Sql Command, Command Type i.e StoredProcedure, and adding Parameters.. look at Tim's example very straight forward as well as a good learning tool

|

CurlyPaul · Accepted Answer · 2013-07-29 16:32:15Z

0

This should do it:

Guid myGuid = new Guid(Request.Params["GUID"])

Casting it as an actual Guid will prevent a SQL injection attack too

edited Jul 29, 2013 at 16:32

answered Jul 29, 2013 at 15:06

CurlyPaul

1,1581 gold badge11 silver badges30 bronze badges

2 Comments

bengoesboom Over a year ago

Based on the code in the question, that alone is not enough to prevent SQL injection

CurlyPaul Over a year ago

@bengoesboom but it would prevent SQL from being injected from the GUID variable in the query string wouldn't it? he does not note where the values from the other parts of the sql string come from

Dave Swersky · Accepted Answer · 2013-07-29 15:06:24Z

-1

Uri url = new Uri("http://localhost:52416/Controls/Support_Survey.aspx?GUID=4aa4caca-f5cb-11e2-b582-635fb56c00b9");

string query = url.Query //query is now "GUID=4aa4caca-f5cb-11e2-b582-635fb56c00b9"

string guidStr = query.Replace("GUID=", "");
Guid guid = new Guid(guidStr);

answered Jul 29, 2013 at 15:06

Dave Swersky

34.8k9 gold badges83 silver badges120 bronze badges

1 Comment

Trevor Pilley Over a year ago

which will only work until someone decides that they need another value in the url and it becomes GUID=4aa4caca-f5cb-11e2-b582-635fb56c00b9&Foo=Bar at which point your code breaks...

Collectives™ on Stack Overflow

How to pass part of url as variable in c#? [duplicate]

5 Answers 5

Comments

Comments

9 Comments

2 Comments

1 Comment

Linked

Hot Network Questions

Collectives™ on Stack Overflow

5 Answers 5

Comments

Comments

9 Comments

2 Comments

1 Comment

Linked

Related