I'm about to have to deal with some SQL code in classic ASP VBScript.
I have two questions.
First, in .net, I'm used to using the System.Data.SqlClient namespace objects to perform queries. For example:
Dim conn as New SqlConnection("Data Source=MyServer;uid=myUid;pwd=myPwd;Initial Catalog=myDataBase;"
Dim cmd as New SqlCommand("Select fname From myTable where uid=@uid;", conn)
cmd.Parameters.add(New SqlParameter("@uid",100323)
conn.open()
Response.Write(cmd.ExecuteScalar())
conn.Close()
I've been told that using a parameterized query as such makes my query secure from SQL injection attacks.
I'd like to know what is the equivalent code to do such a query in classic ASP with VBScript and what similar security precautions must be used to guard against SQL injection.
There are ADODB Objects which do basically the same thing. ADODB.Command object is the equivalent to SqlCommand. From there it is basically doing the same as in .NET.
set cmd = Server.CreateOject("ADODB.Command")
cmd.CommandText = "select From Table where ID = @id")
set param = cmd.CreateParameter("@id", adInteger, adInput,0,0)
I frequently use w3schools for help about ADO objects.
来源:https://stackoverflow.com/questions/3579687/how-do-i-run-a-parameterized-sql-query-in-classic-asp-and-is-it-secure