[thelist] Pass ASP query string to SQL statement
Brian Cummiskey
brian at hondaswap.com
Fri Aug 10 17:47:03 CDT 2007
Groups at beachcomp.com wrote:
> vidid = request.querystring("id")
>
<snip />
> videos.Source = "SELECT * FROM videos where active=Yes and Id ='" & vidid &
> "'"
Dave, I have no access experience, so i can't help you with your
question.... BUT, what you are doing is VERY unsafe. You are wide
open for SQL injection.
I highly suggest you run a regex on vidid to only allow digits into your
query.....
and that said, if you're passing ID's as numbers, you don't want the
'single quotes' around it.... but you do want them on active='Yes'
More information about the thelist
mailing list