Geek Answers Handbook

How can I make a prepared statement in classic asp that prevents SQL injection?

I have it:

sqlString = "SELECT * FROM employees WHERE lastname = '" & last_name & "'" Set cmd = Server.CreateObject("ADODB.Command") Set cmd.ActiveConnection = dbConn cmd.CommandText = sqlString cmd.Prepared = True Set recs = cmd.Execute

The problem is that a prepared statement command precedes the dynamic part of sqlString . I do not think that what I have above protects me.

Is there no need to fix this sqlString before I make a prepared statement? Reading this made me think that: How are prepared statements protected against SQL injection attacks? :

"Although in the case of prepared statements we do not modify our program, it remains intact. This is the point.

First we send the program to the server

  $db->prepare("SELECT * FROM users where id=?");

where the data is replaced by some variable called "placeholder" and then we send the data separately:

  $db->execute($data);

therefore, he cannot change our program and do any harm. Pretty simple - right? "

But I do not know how to make my request correctly. I also don't know how it got from prepare to $data . Hope for guidance. Thanks.

+1
source share
3 answers

Why not use the parameters of the ADO command?

 var oCmd = Server.CreateObject("ADODB.Command"); oCmd.CommandText = "SELECT * FROM employees WHERE lastname = ?"; oCmd.Parameters.Append(oCmd.CreateParameter(undefined,202, 1, 50,"last name"))//adVarWChar
+9
source

Here is a good blog on how to prevent SQL injection using classic asp.

http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx

0
source

The easiest way is to use stored procedures in SQL and use commands this way. Otherwise, you need to avoid highlighting certain characters from the Request object, such as single quotes and double hyphens, etc.

0
source

More articles:


All Articles