[thelist] parameters in classic asp

Casey aspnet at thecrookstons.com
Fri Nov 11 16:55:58 CST 2005


I have a new client with a large site written all in classic asp.  They have 
a login page that validates against an MS SQL database that is wide open to 
SQL injection attacks (I even demonstrated to the client: 'hi' or 1 = 1-- )

So, I need to swap out "SELECT * FROM users WHERE userid = '" & user_id & "' 
AND password = '" & password & "'"

with parameters: "SELECT * FROM users WHERE userid = @userid AND password = 
@password"

But I am having trouble figuring out how to do this in classic ASP.  I'm 
getting rather tired trying to find the answer on google.

http://www.webconcerns.co.uk/asp/accessqueries/accessqueries.asp
http://www.webconcerns.co.uk/asp/accessqueries/accessqueries.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ado270/htm/mdmthcreateparam.asp

To name a few.

I'm not looking for a free handout- just a point in the right direction.

Thanks. 




More information about the thelist mailing list