Hi,
RE: SQL2K, ASP
--------------------
I am trying to secure a data entry page and want to avoid any sql injections.
Is there a way I can use Command.Parameters with a query (instead of a
storedproc).
Any solution?
Thnx
dotnettester wrote:
> Hi,
>
> RE: SQL2K, ASP
> --------------------
> I am trying to secure a data entry page and want to avoid any sql
> injections.
>
> Is there a way I can use Command.Parameters with a query (instead of a
> storedproc).
>
> Any solution?
>
> Thnx
Yes. Use an explicit Command object to pass parameter values to a string
containing parameter markers:
http://groups-beta.google.com/group/microsoft.public.inetser ver.asp.db/msg/72e36562fee7804e
This does not relieve you of the responsibility to validate your user inputs
in server-side code, if only to prevent errors related to
incorrectly-entered data.
Bob Barrows
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
And for another related link:
SQL Injection Walkthrough
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
Best regards,
-Paul
www.Bullschmidt.com - Freelance Web and Database Developer
www.Bullschmidt.com/DevTip.asp - Classic ASP Design Tips