Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- MySQL/ASP Paramaterization To Prevent Injection [closed]
- username = Trim(Request("username"))
- password = Trim(Request("password"))
- SQL = " SELECT clientID FROM clientAccounts
- WHERE username = '"&username&"'AND password = '"&password&"'; "
- Set rs = conn.Execute(SQL)
- SqlConnection objConnection = new SqlConnection(_ConnectionString);
- objConnection.Open();
- SqlCommand objCommand = new SqlCommand(
- "SELECT * FROM User WHERE Name = @Name AND Password = @Password",
- objConnection);
- objCommand.Parameters.Add("@Name", NameTextBox.Text);
- objCommand.Parameters.Add("@Password", PasswordTextBox.Text);
- SqlDataReader objReader = objCommand.ExecuteReader();
- if (objReader.Read())
- {
- ...
- With oSQLCommand
- .ActiveConnection = oSQLConn
- .CommandText = "SELECT * FROM whatever WHERE field1=@field1"
- 'add input parameters
- .Parameters.Append .CreateParameter("field1", adInteger, adParamInput, , iTableIdValue)
- End With
- 'run the stored procedure
- oRS.Open oSQLCommand
Add Comment
Please, Sign In to add comment