I need to put a query string into a servervariable so when the user posts back to the page, the variable is still in the URL (and it will not crash). How do I do this.

Here is the code that calls the page:

function GoProfile(Userid) 

        window.document.location.href = 'AdminEditProfile.asp?UserID=' + Userid;

Then when it posts back to the page, here is the code that calls it back:

<form action="<%=Request.ServerVariables("SCRIPT_NAME")%>" method=post id=form1 name=form1>

Since I have a line of code, like this:

prm.Append cmd.CreateParameter("@UserID", adVarchar, adParamInput,24,request.QueryString("UserID"))

on the page if the query string is not in the URL when it posts back it will crash (but the rest works).

Edited by djblois

2 Years
Discussion Span
Last Post by djblois

Bad idea to put the userid in the query string, best to save this as a session and will be persistent across the entire site.


Thank you for that information.

Can you point me where I can find code samples to do that?

and when is it good to use a querystring then?


What language are you using looks like asp.net.

Any server side language you will be able to set sessions, these are handled server side and cannot be tampered with.

Once the session is set you can use regular query strings without fear of the user tampering to get unauthenicated access to part of your site.

'Sessions' are the driving force in any web portal application.


Actually, this looks like classic ASP to me...(i hope you are not coding like this in asp.net).

here is an example of how to store a value in a session variable.

Session("name")="Daniel Blois"

To retreive the value...

Hello <%Response.Write(Session("name"))%>

Edited by JorgeM


JorgeM is correct that it is classic ASP.

Curious when would using a query string be a good idea?


There's nothing wrong with using the query string. Its up to you as the web developer to determine the best approach for passing information between pages. You have options... query string, sessions, cookies, etc...

I generally use query string parameters..for example.... take an application that displays products... it would be very common to pass the query string parameter of product id to the product details page.

However, if you want to track which user is logged in to your application, if you only use the approach of passing the user id in the query string, what will prevent someone from just changing the query string to another value? that wouldnt be very secure.

So, when security is of concern, if you do pass the value via query string, you should most definately validate the value before you perform any type of processing on the target page.



Thank you - I guess from your answer iamthwee misunderstood what userid was in this case. It is for administrators being able to pull up the users profiles and edit in an in house help desk site. So security is not of concern. Thank you both for your help.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.