1. The problem is that I originally passed a parameter from defalt to
default2 using a query string (eg. default2.aspx?catID=X) where X is
generated from a user selection on default. X is then used to generate
a datagrid on default2.
This works fine --- except I've read that instead of passing X to page
2 using a query string, that I should protect myself from SQL injection
attacks and pass X to a stored procedure, using parameters. I read that
I shouldn't do the default2.aspx?catID=X because someone could just add
a "?catID=X; malicious code here".
2. Application Overview
It's basically a master/detail product situation
For the code posted above, all I want to do is run a test to get the
basics working. In the test it's just a listbox on default and I want
to pass a parameter to the stored procedure on the second page, and
create a datagrid with the results.
a)take a listbox which I have populated on page default
b) and pass the parameter, catID (an integer) to page default2
c) execute a stored procedure (as listed below) with the catID as a
d) and create a datagrid with the results.
At this point I have a test page setup to figure this out:
Has a listbox on it, listbox1 and a textbox, textbox1.
When the user clicks on one of the items in the listbox, the catID
value appears in the textbox. I used this as a basic "control" test.
Now I want to pass this catID, (or, X, as above) to a stored procedure
on page DEFAULT2.
Let's call the Stored Procedure usp_test, and let's call the parameter
The stored procedure will just be a test for now so, SELECT * FROM
tblCat WHERE catID=@catID.
I am having trouble getting the "catID" value off the default page to
the default2 page.
I'm not sure if I need a global variable or where to "store" the
parameter, and then how to "recover" the parameter and use it in the
Thanks a lot for your help.