How can I make a prepared statement in classic asp that prevents sql injection?

Question

I have this which works:

sqlString = \"SELECT * FROM employees WHERE lastname = \'\" & last_name & \"\'\"
Set cmd = Server.CreateObject(\"ADODB.Comma         


        

Answer 1

The easiest is using stored procedures in SQL and using Commands that way.. Otherwise, you have to escape out certain characters being gathered from the Request object, like single quotes and double hyphens, etc.