Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 Other Forums
 SQL Server 6.5 \ SQL Server 7.0
 Trying to prevent SQL injection

Author  Topic 

harrisa
Starting Member

4 Posts
Posted - 2009-09-17 : 17:21:13
Hello, I've been trying to fix all of our injectable asp by using parameterized query What I'm noticing is a lot of problems using the returned recordset. For example, I cannot move back and forth through it by .movefirst.

Basically I've change something like this

Set rsCat = Server.CreateObject("ADODB.Recordset")
iItemID = Request.QueryString("item")

SQLCat = "SELECT * FROM Catalog"
rsCat.open SQLCat, Conn, adOpenKeyset, adLockOptimistic

To something like this:

set objDBCommand = Server.CreateObject("ADODB.Command")
objDBCommand.ActiveConnection = Conn
objDBCommand.CommandText = "SELECT * FROM Catalog WHERE CurrentAvail=1 AND ProductNum=?"
objDBCommand.CommandType = 1
set objDBParam = objDBCommand.CreateParameter("@ProductNum",200,1,50)
objDBCommand.Parameters.Append objDBParam
objDBCommand.Parameters("@ProductNum") = iItemID
set objDBParam = Nothing
'set rsCat = objDBCommand.Execute

Unfortunately much of the code to follow that does various things with the recordset does not work when using the parameterized query. Thoughts?

thanks

robvolk
Most Valuable Yak

15732 Posts
Posted - 2009-09-17 : 17:28:46
Please do not cross post:

http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=132990
Go to Top of Page
   

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources

Articles

Forums

Blogs

Contact Us

About the Site