Getting a variable from URL and passing it into SqlDataSource SelectCommand

Question

"I am working in asp.net vb and I am trying to get a variable from the URL and pass it into the select statement of my sql data source. So far I have this and it doesn't work with asp.net.

    <%Dim PersonNumId as String
    PersonNumID = Request.QueryString("Person")
    Dim PersonNum2
    PersonNum2 = Convert.ToInt32(PersonNumID)%>
    <aspSqlDataSource (other information required) SelectCommand="Select Name From Interests Where ID=@PersonNumID"  />
    <SelectParameters><asp:QueryStringParameter DefaultValue="<%=PersonNum2%>" DbType=Int32/></SelectParameters

I have tried several different ways of converting it but I need the end result to be the variable that is in the query statement is an int. I am new to this so any advice would be greatly appreciated!

Answer 1

The answer ended up being simple(for someone that knows asp.net) Under the <asp:SqlDatasource><Selectparameters> there is an option for <asp:QueryStringParameter> you can enter the field that you want to query under querystringfield and I think it automatically converts or parses it to the type you want. I had this in my question but I didn't know what it actually did. I only used the querystringParameter because I saw it in an example somewhere else. So this is what I ended up getting.

    <asp:SqlDataSource (other information required) SelectCommand="Select Name From Interests Where ID=@PersonNum">
   <SelectParameters>
   <asp:QueryStringParameter Name="PersonNum" QueryStringField="Person" DbType="Int32"/></SelectParameters></asp:SqlDataSource>

Answer 2

in code behind you can try:

SqlDataSource1.SelectCommand = "Select * from notes where ID=" + Request.QueryString["ID"];

Please use best practices to protect yourself from SQL injection.