3

I have this which works:

sqlString = "SELECT * FROM employees WHERE lastname = '" & last_name & "'"
Set cmd = Server.CreateObject("ADODB.Command")
Set cmd.ActiveConnection = dbConn
cmd.CommandText = sqlString
cmd.Prepared = True
Set recs = cmd.Execute

The problem I have is that above the dynamic part of sqlString is before the prepared statement command. I don't think what I have above is protecting me.

Don't I have to fix this sqlString before I do the prepared statement? Reading this made me think that: How can prepared statements protect from SQL injection attacks?:

"While in case of prepared statements we don't alter our program, it remains intact That's the point.

We are sending program to the server first

 $db->prepare("SELECT * FROM users where id=?");

where the data is substituted by some variable called "placeholder" and then we're sending the data separately:

 $db->execute($data);

so, it can't alter our program and do any harm. Quite simple - isn't it?"

But I don't know how to make my query correct. I also don't know how he got from prepare to $data. Was hoping for guidance. Thanks.

Community
  • 1
  • 1
johnny
  • 19,272
  • 52
  • 157
  • 259

3 Answers3

11

Why not use ADO command parameters?

var oCmd = Server.CreateObject("ADODB.Command");
oCmd.CommandText = "SELECT * FROM employees WHERE lastname = ?";
oCmd.Parameters.Append(oCmd.CreateParameter(undefined,202, 1, 50,"last name"))//adVarWChar
aepheus
  • 7,827
  • 7
  • 36
  • 51
0

Here's a good blog on how to prevent sql injection using classic asp.

http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx

Robert
  • 3,074
  • 3
  • 24
  • 32
0

The easiest is using stored procedures in SQL and using Commands that way.. Otherwise, you have to escape out certain characters being gathered from the Request object, like single quotes and double hyphens, etc.

Control Freak
  • 12,965
  • 30
  • 94
  • 145