i am passing querystring through this coding is it correct way

gopinathtamil

<table><tr><td align=center><table border=0 cellpadding=0 cellspacing=0><tr><td><Img Width=100 height=100 src=Image.aspx?id=" & ds1.Tables(0).Rows(i)("imageId") & "></Img></td></tr></table></td></tr><tr><td align=center><a href=productdetailview.aspx?typeid=1&Productid=" & ds1.Tables(0).Rows(i)("productid") & ">" & ds1.Tables(0).Rows(i)("productname") & "</a></td></tr><tr><td align=center><font color=#ff6900>MRP Rs:-<strike>" & ds1.Tables(0).Rows(i)("price") & "</strike><font></td></tr><tr><td align=center><font color=green>Our Price Rs:-" & ds1.Tables(0).Rows(i)("ourprice") & "<font></td></tr></table>

SeMartens

Could you be so kind to format your code a bit? It is hard to read. And please give more details about what you want to achieve.

It's not a bug, it's a feature! Check out my CodeProject article Permission-by-aspect. Me in Softwareland.

Colin Angus Mackay

I presume this is a big string you are concatenating. If this is not the case then you need to provide more context with which we can help you. You have not HTML encoded the output of the database. This leaves you vulnerable to attack. If someone manages to trick your applicaiton into storing a script in your database it will be rendered to the page and the browser will just run it.

*Developer Day Scotland - Free community conference Delegate Registration Open

gopinathtamil

i need to pass two values using querystring. Dim myDataAdapter1 As SqlDataAdapter = New SqlDataAdapter("SELECT i.imageid,i.IMAGE,p.productname,p.Price,p.productid,p.ourprice FROM Product p,IMAGE i WHERE p.Typeid='1' AND i.Productid=p.Productid and p.productid in(170)", myConnection) Dim ds1 As DataSet ds1 = New DataSet myDataAdapter1.Fill(ds1, "image") Dim str As String str = "<table><tr><td align=center><table border=0 cellpadding=0 cellspacing=0><tr><td><Img Width=100 height=100 src=Image.aspx?id=" & ds1.Tables(0).Rows(i)("imageId") & "></Img></td></tr></table></td></tr><tr><td align=center> <a href=productdetailview.aspx?typeid=1&Productid=" & ds1.Tables(0).Rows(i)("productid") & " > " & ds1.Tables(0).Rows(i)("productname") & "</a></td></tr><tr><td align=center><font color=#ff6900>MRP Rs:-<strike>" & ds1.Tables(0).Rows(i)("price") & "</strike><font></td></tr><tr><td align=center><font color=green>Our Price Rs:-" & ds1.Tables(0).Rows(i)("ourprice") & "<font></td></tr></table>" Response.Write(str & "<br>") This is a dynamic creating table on vb.net...which i was mentioned on bold letters. that is called hyperlink tag which i am going to pass the value using querystring.....it correct way to mention querystring like this......