Unable to evaluate expression

Question

I am using a class to check for certain words in my application to prevent SQL Injection.

In the class, there is a for loop that tries to match a specific word with the words from a blacklist. If there is a match, I must redirect to the system's error page.

However, when a match is found and I try to redirect, I keep getting the error "Unable to evaluate expression."

Here is the code:

Private Sub CheckInput(ByVal parameter As String)
Try
    Dim errorPage As String = "error_page.aspx?Injection=" & parameter

    For i As Integer = 0 To blackList.Length - 1
        If (parameter.IndexOf(blackList(i), StringComparison.OrdinalIgnoreCase) >= 0) Then
            'Handle the discovery of suspicious Sql characters here 
            'generic error page on your site 
            HttpContext.Current.Response.Redirect(errorPage)
        End If
    Next

Catch ex As Exception
    Throw ex
End Try

Once the Try block catches the error, it keeps giving the error and doesn't redirect to the error page.

Any ideas?

Answer 1

The "Unable to evaluate expression" is from the Visual Studio debugger, when it sees the ThreadAbortException thrown by Response.Redirect. Without a debugger attached, your code will work as expected.

You can pass false to prevent the current request being ended (which is what the ThreadAbortException is for). You're then responsible for "ending" the request gracefully.

FWIW, you should also remove the try/catch, as it's serving no useful purpose other than hiding any exceptions. And, as mentioned, SQL parameters are the way to prevent injection - not whitelists.

Answer 2

You might have an infinite loop. Does CheckInput run for your error page also?

Dim errorPage As String = "error_page.aspx?Injection=" & parameter

When you hit an error, you are including the same string that caused the error, thus causing the whole thing to start over again