[thelist] Pass ASP query string to SQL statement

Brian Cummiskey brian at hondaswap.com
Fri Aug 10 17:47:03 CDT 2007

Groups at beachcomp.com wrote:
> vidid = request.querystring("id")
<snip />
> videos.Source = "SELECT * FROM videos where active=Yes and Id ='" & vidid &
> "'"

Dave,  I have no access experience, so i can't help you with your 
question....   BUT, what you are doing is VERY unsafe.   You are wide 
open for SQL injection.

I highly suggest you run a regex on vidid to only allow digits into your 
and that said, if you're passing ID's as numbers, you don't want the 
'single quotes' around it....      but you do want them on active='Yes'

More information about the thelist mailing list