[thelist] parameters in classic asp

thelist at cjmarsh.com thelist at cjmarsh.com
Fri Nov 11 17:45:03 CST 2005


Casey

> > So, I need to swap out "SELECT * FROM users WHERE userid = '" & 
> > user_id &
> > "'
> > AND password = '" & password & "'"
> >
> > with parameters: "SELECT * FROM users WHERE userid = @userid AND 
> > password
> > =
> > @password"

The best thing to do would be to learn a little more about ADO, and
W3Schools.com is not a bad place to start:

<http://www.w3schools.com/ado/ado_ref_command.asp>

In the meanwhile, ensure that you escape single quotes thus:

<%
Function SQLSafe(ByVal strSQL)
    SQLSafe = Replace(strSQL, "'", "''")
End Function

"SELECT * FROM users WHERE userid = '" & SQLSafe(user_id) & "'"
%>

Also, don't try to reformat input if it does not conform to your expected
pattern. For example, if you find "--" within the input string for a first
name, then gracefully exit - don't strip it out and continue. Use single
quotes around numbers thus:

"SELECT * FROM users WHERE userNumber = '1'"

Handle your errors so that detailed error messages are not displayed in the
browser, so that malicious input does not result in exposure of the database
structure.

HTH

Regards

Chris Marsh

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.0/167 - Release Date: 11/11/2005
 




More information about the thelist mailing list