Unable to evaluate expression
The "Unable to evaluate expression" is from the Visual Studio debugger, when it sees the ThreadAbortException thrown by Response.Redirect. Without a debugger attached, your code will work as expected.
You can pass false to prevent the current request being ended (which is what the ThreadAbortException is for). You're then responsible for "ending" the request gracefully.
FWIW, you should also remove the try/catch, as it's serving no useful purpose other than hiding any exceptions. And, as mentioned, SQL parameters are the way to prevent injection - not whitelists.
Comments
-
gabsferreira almost 2 years
I am using a class to check for certain words in my application to prevent SQL Injection.
In the class, there is a for loop that tries to match a specific word with the words from a blacklist. If there is a match, I must redirect to the system's error page.
However, when a match is found and I try to redirect, I keep getting the error "Unable to evaluate expression."
Here is the code:
Private Sub CheckInput(ByVal parameter As String) Try Dim errorPage As String = "error_page.aspx?Injection=" & parameter For i As Integer = 0 To blackList.Length - 1 If (parameter.IndexOf(blackList(i), StringComparison.OrdinalIgnoreCase) >= 0) Then 'Handle the discovery of suspicious Sql characters here 'generic error page on your site HttpContext.Current.Response.Redirect(errorPage) End If Next Catch ex As Exception Throw ex End TryOnce the Try block catches the error, it keeps giving the error and doesn't redirect to the error page.
Any ideas?