Menu
I recently inherited a classic asp website with a ton of inline SQL insert statements that are vulnerable to SQL injection attacks.
These insert statements are executed via the ADO command object.
Will setting the ADO Command Object's Prepared property to true ensure that the query is parameterized before execution, thus mitigating the risk of SQL injection?
998
This Link should prove useful.
Classic ASP SQL Injection Protection
149
No, if you build a SQL string with values that you get directly from "outside", then a "prepared statement" will not help you.
a
sSQL = "SELECT * from mytable where mycolumn = '" + querystring("value") + "'"
is still asking for trouble. The only way to solve this is by using parameters in your query.
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
