This documentation is archived and is not being maintained.

FormParameter Class

Updated: July 2008

Binds the value of an HTTP request Form field to a parameter object.

Namespace:  System.Web.UI.WebControls
Assembly:  System.Web (in System.Web.dll)

[AspNetHostingPermissionAttribute(SecurityAction.InheritanceDemand, Level = AspNetHostingPermissionLevel.Minimal)]
[AspNetHostingPermissionAttribute(SecurityAction.LinkDemand, Level = AspNetHostingPermissionLevel.Minimal)]
public class FormParameter : Parameter

You can use the FormParameter class to bind the value of a form variable in the Form collection to a parameter used in a parameterized query or command. Controls that bind data to the parameter might throw an exception if a FormParameter is specified but no corresponding form variable is passed. They might also display no data if the form variable is passed with no corresponding value. Set the DefaultValue to avoid these situations where appropriate.

The FormParameter class provides the FormField property, which identifies the name of the form variable to bind to, in addition to those inherited from the Parameter class.

Important noteImportant Note:

The FormParameter does not validate the value passed by the form element in any way; it uses the raw value. In most cases you can validate the value of the FormParameter before it is used by a data source control by handling an event, such as the Selecting, Updating, Inserting, or Deleting event exposed by the data source control you are using. If the value of the parameter does not pass your validation tests, you can cancel the data operation by setting the Cancel property of the associated CancelEventArgs class to true.

The following code example demonstrates how to insert data into a database using the SqlDataSource control and a simple ASP.NET Web page. The current data in the data table is displayed in the DropDownList control. You can add new records by entering values in the TextBox controls and clicking the button. When the button is clicked, the specified values are inserted into the database, and the DropDownList is refreshed.

Security noteSecurity Note:

This example has a text box that accepts user input, which is a potential security threat. By default, ASP.NET Web pages validate that user input does not include script or HTML elements. For more information, see Script Exploits Overview.

<%@Page  Language="C#" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">

<script runat="server">
private void InsertShipper (object source, EventArgs e) {
<html xmlns="" >
  <head runat="server">
    <title>ASP.NET Example</title>
    <form id="form1" runat="server">
      Existing Shipping Companies<br />
        datavaluefield="ShipperID" />

<!-- Security Note: The SqlDataSource uses a FormParameter,
     Security Note: which does not perform validation of input from the client.
     Security Note: To validate the value of the FormParameter, handle the Inserting event. -->

        connectionstring="<%$ ConnectionStrings:MyNorthwind %>"
        selectcommand="SELECT CompanyName,ShipperID FROM Shippers"
        insertcommand="INSERT INTO Shippers (CompanyName,Phone) VALUES (@CoName,@Phone)">
            <asp:formparameter name="CoName" formfield="CompanyNameBox" />
            <asp:formparameter name="Phone"  formfield="PhoneBox" />

      <br />
      <br />
      Add new Company and Phone Number<br />

      Company Name
           runat="server" />

        ErrorMessage="Please enter a company name." />

      <br />
      Phone Number
           runat="server" />

        ErrorMessage="Please enter a phone number." />

      <br /><asp:button
           text="Insert New Shipper"
           onclick="InsertShipper" />



Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Windows 7, Windows Vista, Windows XP SP2, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP Starter Edition, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows Server 2000 SP4, Windows Millennium Edition, Windows 98

The .NET Framework and .NET Compact Framework do not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

.NET Framework

Supported in: 3.5, 3.0, 2.0




July 2008

Added new member: . FormParameter(String, DbType, String) constructor.

SP1 feature change.