开发者

Why does Classic ASP Post a Multiple Select List with a space between values where ASP.Net doesn't?

开发者 https://www.devze.com 2022-12-08 06:48 出处:网络
I have an old Classic ASP code such as: <html> <head></head> <body> <form action=\"test.asp\" method=\"post\" name=\"fname\">

I have an old Classic ASP code such as:

<html>
<head></head>
<body>
<form action="test.asp" method="post" name="fname">
<select name="clients" size="3" multiple="multiple">
       <option value="5311" selected="selected">5311</option>
       <option value="9999" select开发者_StackOverflow中文版ed="selected">9999</option>
</select>
<input type="submit" value="test">
</form>
<%
dim clients
clients=Request.Form("clients")
Response.Write(clients)
%>
</body>
</html>

This outputs 5311, 9999 from the Request.Form object

If I put the same HTML in an ASP.Net app and read the Request.Form object it outputs 5311,9999.

Spot the difference, there is a space between the two.

Why is that? Is there a way I change it so it includes the space?

Thanks


Classic ASP has changed. Around about Windows Server 2008, probably later due to a patch or service pack, it started putting between items.

It does the same thing with field arrays. If you have 3 input boxes with the name "AMOUNT", response.write(request.amount) will display aaa, bbb, ccc

I've been working with classic ASP for around 12 years and this started happening a while ago and breaking things.

I've never seen it documented though.

Note: I can find old Microsoft documentation that specifically says a "comma delimited string"


It sounds like you might do a replace to create a part of a valid SQL statement. If that is what you're doing, it's a really really bad idea since an evil visitor can use this to run any SQL statements they like. A better idea, for both classic ASP and ASP.net is to do a split on comma and use CLng or Convert.ParseInt32 to convert to number and build the SQL statement using that.


I never noticed a difference in the way that Classic ASP and ASP.NET works in this regard, but the presence or absence of a space should not affect an IN clause. If you are currently just throwing the Request.Form value into a dynamically constructed SQL statement, you are potentially asking for trouble as has been pointed out. You should parameterise it:

http://www.mikesdotnetting.com/Article/116/Parameterized-IN-clauses-with-ADO.NET-and-LINQ

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号