Home/ Questions/Q 6591047
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T17:22:31+00:00

Possible Duplicate: Classic ASP SQL Injection Protection So far, I’ve been very lucky not

  • 0

Possible Duplicate:
Classic ASP SQL Injection Protection

So far, I’ve been very lucky not to have my website attacked by SQL injection, and possibly many other methods too.

I would like to know how to convert my login query to use parameters, which apparently will stop this kind of attack occurring.

My query is actually quite complicated, so I will show a simple version in this post, so then I can study the converted version and then try and implement it to my real query later.

This is what I currently have (simplified), which is asking for trouble:

username = Trim(Request("username"))
password = Trim(Request("password"))

SQL = " SELECT clientID FROM clientAccounts
WHERE username = '"&username&"'AND password = '"&password&"'; "
Set rs = conn.Execute(SQL)

I would greatly appreciate if somebody could show me how this would look, using parameters, to protect it from injection.

Regards

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    From http://www.uberasp.net/getarticle.aspx?id=46 :

    SqlConnection objConnection = new SqlConnection(_ConnectionString);
objConnection.Open();
SqlCommand objCommand = new SqlCommand(
   "SELECT * FROM User WHERE Name = @Name AND Password = @Password",
   objConnection);
objCommand.Parameters.Add("@Name", NameTextBox.Text);
objCommand.Parameters.Add("@Password", PasswordTextBox.Text);
SqlDataReader objReader = objCommand.ExecuteReader();
if (objReader.Read())
{
    ...

    For classic ASP, from http://blog.binarybooyah.com/blog/post/Classic-ASP-data-access-using-parameterized-SQL.aspx :

        With oSQLCommand
        .ActiveConnection = oSQLConn
        .CommandText = "SELECT * FROM whatever WHERE field1=@field1"
        'add input parameters
        .Parameters.Append .CreateParameter("field1", adInteger, adParamInput, , iTableIdValue)
    End With
    'run the stored procedure
    oRS.Open oSQLCommand

    Also, don’t write your own login code if it’s for anything important (i.e., you’re okay with the possibility of a complete stranger seeing everything on the server that you can). It takes a lot of time and testing to get it right, and one man alone (you) can’t reasonably hope to do it right the first time.

    • 0