|
| | | Forum Newbie
Group: Forum Members
Last Login: 9/9/2008 7:30:32 AM
Posts: 2, Visits: 3 |
| | Hi All Generally we are using the following code to update using ADODB sql = "SELECT * FROM customers WHERE CustomerID=" + custID;
recordSet.Open(sql, connection, 1, 2);
recordSet("FirstName") = firstName;
recordSet("MiddleInitial") = middleInitial;
recordSet.Update();
recordSet.Close();
But, we are facing sql injection problem. so what we can't pass value directly to query. So I have changed to
var sqlcmd = Server.CreateObject("ADODB.Command");
sqlcmd.CommandText = sql;
sqlcmd.CommandType = 1;
sqlcmd.Parameters.Append(sqlcmd.CreateParameter("@column1",200,1 ,10,custID)); My Doubt is, How to update sqlcmd using recordset. can you please explain?
.Net Developer
CompIndia Infotech P Ltd
Tiruapti.
http://www.compindia.com |
| |
| | | Forum God
Group: Forum Members
Last Login: Yesterday @ 4:38:01 AM
Posts: 886, Visits: 5,287 |
| My Doubt is, How to update sqlcmd using recordset. can you please explain? I don't think you can. You have a few strategies to deal with sql injection. The steps I would take are - Change your queries to stored procedures - by doing that it will ensure the datatype and size are correct. For example you can set the size of Middle Inital to 1. There isn't much that can be done with sql injection if you can only use 1 character.
- Validate your inputs on the client before submitting the form - This will catch problem entries before they leave the browser.
- Validate your inputs on the server before the stored procedure is run - You also have to make sure the input have not been intercepted and tampered with.
|
| |
|
|