Prevent SQL Injection With Classic ASP

December 15, 2016

1131

Classic ASP might seem like a language that is dead and gone, but it is still alive…somehow. With a language that has become outdated, it can be difficult to fight against modern security risks. Knowing how to prevent SQL injection with classic ASP is a valuable bit of code to have at your disposal. With bots capable of hacking sites, you don’t to make things easy for them. Thankfully, there is a way to setup prepared statements using Classic ASP.

If you are familiar with prepared statements, this shouldn’t be too much trouble. I will admint, this is a pretty ugly implementation, but ASP isn’t exactly bleeding edge, so this is the best we have. The first and most awkward thing about prepared statements with classic ASP, is that you need to declare the data type. For example, if a field in a DB is of type int, you need to declare this when creating the statement. It seems odd, but this is how it goes. the following code will show you a quick and easy way to pull a row from a database by using an ID that is passed in the querystring.

if request.querystring("id") <> "" and IsNumeric(request.querystring("id")) then
    set cmd = Server.CreateObject("ADODB.Command")
    set rs = Server.CreateObject("ADODB.Recordset")

    cmd.ActiveConnection = objConnection
    cmd.CommandText = "SELECT * FROM Posts WHERE id = ?"
    cmd.Parameters.Append(cmd.CreateParameter("@id", 3, 1, , request.querystring("id")))
    set rs = cmd.Execute()

    if not (rs.eof and rs.bof) Then
        'do something
    end if
end if

The only thing that needs to change are the parameters that you pass into the CreateParameter function. As I mentioned previously, you need to declare the data type when adding a command parameter. A full list of all of the data type codes can be found here http://www.w3schools.com/asp/met_comm_createparameter.asp

This is a pretty solid way to prevent sql injection with classic ASP. Nothing is ever bulletproof, so always be on the lookout for ways to further improve the security by validating data even further to prevent any bad data making its way into a query string.

Prevent SQL Injection With Classic ASP

Related Articles

Scavenger Hunt Team Randomizer

File Hash Generator Online – Get Instant MD5 and SHA-256 Hashes

Visual CSS Editor for Modern Glass UI Effects

Related Questions

How Can I Level Up from a Junior to Mid-Senior Developer?

Which GPU should I choose for VR: RTX 5070 OC or RX 9070 OC?

Is it possible to create a simple iOS app for a collection of long educational videos?

LEAVE A REPLY Cancel reply

Latest Tools

Scavenger Hunt Team Randomizer

File Hash Generator Online – Get Instant MD5 and SHA-256 Hashes

Visual CSS Editor for Modern Glass UI Effects

Fast and Accurate Tap BPM Counter – Free Web Tool

Glassmorphism CSS Generator with Live Preview

Add Custom Speech and Caption Boxes to Any Image Online

Latest Posts

Sports Team Randomizer

10 Uses For An Old Smartphone

Midjourney Launches An Exciting New Feature for Their Image AI

ShortlyAI Review

Is Copytrack A Scam?

Latest Questions

How Can I Level Up from a Junior to Mid-Senior Developer?

Which GPU should I choose for VR: RTX 5070 OC or RX 9070 OC?

Is it possible to create a simple iOS app for a collection of long educational videos?

Need Help Finding an Offline Installer for Symantec AV on Windows 10

Help! My Laptop Changed the Time Automatically and I Can’t Change It Back