[thelist] parameters in classic asp

Casey aspnet at thecrookstons.com
Fri Nov 11 16:55:58 CST 2005

I have a new client with a large site written all in classic asp.  They have 
a login page that validates against an MS SQL database that is wide open to 
SQL injection attacks (I even demonstrated to the client: 'hi' or 1 = 1-- )

So, I need to swap out "SELECT * FROM users WHERE userid = '" & user_id & "' 
AND password = '" & password & "'"

with parameters: "SELECT * FROM users WHERE userid = @userid AND password = 

But I am having trouble figuring out how to do this in classic ASP.  I'm 
getting rather tired trying to find the answer on google.


To name a few.

I'm not looking for a free handout- just a point in the right direction.


More information about the thelist mailing list