Prevent SQL Injection With Classic ASP

Classic ASP might seem like a language that is dead and gone, but it is still alive…somehow. With a language that has become outdated, it can be difficult to fight against modern security risks. Knowing how to prevent SQL injection with classic ASP is a valuable bit of code to have at your disposal. With bots capable of hacking sites, you don’t to make things easy for them. Thankfully, there is a way to setup prepared statements using Classic ASP.

If you are familiar with prepared statements, this shouldn’t be too much trouble. I will admint, this is a pretty ugly implementation, but ASP isn’t exactly bleeding edge, so this is the best we have. The first and most awkward thing about prepared statements with classic ASP, is that you need to declare the data type. For example, if a field in a DB is of type int, you need to declare this when creating the statement. It seems odd, but this is how it goes. the following code will show you a quick and easy way to pull a row from a database by using an ID that is passed in the querystring.

if request.querystring("id") <> "" and IsNumeric(request.querystring("id")) then
    set cmd = Server.CreateObject("ADODB.Command")
    set rs = Server.CreateObject("ADODB.Recordset")

    cmd.ActiveConnection = objConnection
    cmd.CommandText = "SELECT * FROM Posts WHERE id = ?"
    cmd.Parameters.Append(cmd.CreateParameter("@id", 3, 1, , request.querystring("id")))
    set rs = cmd.Execute()

    if not (rs.eof and rs.bof) Then
        'do something
    end if
end if

The only thing that needs to change are the parameters that you pass into the CreateParameter function. As I mentioned previously, you need to declare the data type when adding a command parameter. A full list of all of the data type codes can be found here http://www.w3schools.com/asp/met_comm_createparameter.asp

This is a pretty solid way to prevent sql injection with classic ASP. Nothing is ever bulletproof, so always be on the lookout for ways to further improve the security by validating data even further to prevent any bad data making its way into a query string.

 

Related Articles

Related Questions

Tips for Starting My Kubernetes Certification Journey

Hey everyone! I'm about to dive into my Kubernetes certification journey but I'm feeling a bit lost on where to start. I have some...

What’s the Best SSD for Gaming?

I'm thinking about getting an SSD specifically for gaming, but I'm confused by all the conflicting reviews online. Is there a genuine difference in...

Issues After Upgrading to Ubuntu 22.04 – Docker Doesn’t Work

I recently performed a full upgrade of my virtual machine running Ubuntu 22.04 after not updating for about three months. Unfortunately, after the reboot,...

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Tools

OpenAI Token Calculator

This tool is a simple OpenAI token calculator, web-based utility designed to help you quickly estimate the number of tokens in your text when...

List Sorting Tool

Welcome to our innovative list ordering and management tool. This next-level platform enables you to sort a list of items in ascending or descending...

Sudoku Solver

Welcome to our free online Sudoku solving tool, an interactive platform for puzzle enthusiasts seeking a break from a Sudoku conundrum. This advanced platform...

Apply Image Filters To Image

Digital imagery in the modern world is all about reinforcing emotions and stories behind each photo we take. To amplify this storytelling, we are...

Add Watermark To Image

As the world is increasingly consumed by digital media, protecting your original images is paramount. We are thrilled to introduce you to our innovative...

CSV To Xml Converter

Welcome to our CSV to XML converter tool, a convenient and user-friendly solution for all your data conversion needs. This versatile tool on our...

Latest Posts

Latest Questions