Using URL String Data in Where Statement on Repeater with Custom Query

What's happening is the system is protecting you from SQL Injection by escaping your query. So what you'd need is a parameter to escape this AND a default value.

{% QueryString.ParamName|(default)-1\|(handlesqlinjection)false %}

To break this down a bit:

QueryString.ParamName
This is an alternative to use {%ParamName%} It allows you to use additional macro syntax in it vs. simply get a URL parameter.

|(default)-1
This is a macro parameter. There are several macro parameters them but this one is setting a default value of -1 if a value isn't provided/found.

\|(handlesqlinjection)false
This is a second macro parameter. Macro parameters are defined by using a |. BUT when using more than one parameter, you need to escape them by using a backward slash. The second macro parameter is telling the macro engine to NOT escape any special string syntax and expose your query to SQL injection.

Using the {%QueryString%} macro is OK but you ALWAYS need to make sure you do something with the value so it doesn't harm your site.

Thank you very much for the quick response.

The parameter that I am trying to pull from the URL string is ?ItemID=(value). I also have a couple other parameters in the URL that I am using. Do I replace the ParamName with ItemID? If not how do I designate which parameter to pull?

Yes, you replace ParamName with your specific parameter name.

This is what I am using in the Where dialog box of the web part and it still gives me a page error.

ClaimID={% QueryString.ItemID|(default)-1|(handlesqlinjection)false #%}

Check the Kentico event log and see what error it gives you.

Correction it gives me an error in Design view but works on the live site. Anyway to make it work in design view. Makes it difficult laying out the page no being able to view the page content.