classic ASP protection against SQL injection

后端未结

关注

 2  1874

谎友^ 2021-01-06 12:08

I\'ve inherited a large amount of Classic ASP code that is currently missing SQL injection protection, and I\'m working on it. I\'ve examined in detail the solutions offered

2条回答

误落风尘 (楼主)

2021-01-06 12:51
The best option is to use parameterized queries. On how that is done, you must check out:
- SQL Injection Mitigation: Using Parameterized Queries
In PHP also, the PDO (and prepared statements) allows developers to use parameterized queries to avoid sql injection.

Update

Yes you can specify parameters in WHERE clause and for that you can use ADODB.Command object like below example:
```
' other connection code
set objCommand = Server.CreateObject("ADODB.Command") 
...

strSql = "SELECT name, info FROM [companies] WHERE name = ?" _ 
    & "AND info = ?;" 
... 
objCommand.Parameters(0).value = strName 
objCommand.Parameters(1).value = strInfo 
...
```
For more information, see the article link that I have posted above or you may want to research a little more on the topic if you want.
0 讨论(0)

查看其它2个回答
发布评论:

提交评论
- 加载中...

classic ASP protection against SQL injection

Update