6

I'm about to have to deal with some SQL code in classic ASP VBScript.

I have two questions.

First, in .net, I'm used to using the System.Data.SqlClient namespace objects to perform queries. For example:

Dim conn as New SqlConnection("Data Source=MyServer;uid=myUid;pwd=myPwd;Initial Catalog=myDataBase;" Dim cmd as New SqlCommand("Select fname From myTable where uid=@uid;", conn) cmd.Parameters.add(New SqlParameter("@uid",100323) conn.open() Response.Write(cmd.ExecuteScalar()) conn.Close()

I've been told that using a parameterized query as such makes my query secure from SQL injection attacks.

I'd like to know what is the equivalent code to do such a query in classic ASP with VBScript and what similar security precautions must be used to guard against SQL injection.

Improve this question

1 Answer 1

Reset to default
7

There are ADODB Objects which do basically the same thing. ADODB.Command object is the equivalent to SqlCommand. From there it is basically doing the same as in .NET.

set cmd = Server.CreateOject("ADODB.Command") cmd.CommandText = "select From Table where ID = @id") set param = cmd.CreateParameter("@id", adInteger, adInput,0,0)

I frequently use w3schools for help about ADO objects.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This works but is slightly misleading. Being adodb, even thought he parameter is named @id, and the createParameter call is named "@id", I believe it is actually using positioned parameters (as if you were just using ? ? ?). So if you have multiple values to replace, you MUST call createParameter(...) each time in the appropriate order.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.