Thread: SQL Injection

    #1
  1. No Profile Picture
    Contributing User
    ASP Explorer (0 - 99 posts)

    Join Date
    Jan 2007
    Posts
    41
    Rep Power
    12

    SQL Injection


    I have used the SQL command object in ASP to prevent SQL injection. But in the past, the WHERE clause in all my SQL statements looked for an exact match so there wasn't any problem. for instance,
    Code:
    "select * from tblUsers where userID = ?"
    This is what i used to do:
    Code:
    userID= Request.QueryString("userID")
    sqlStr = "SELECT * from tblUsers where userID=?"
    set sqlcomm = server.CreateObject("ADODB.COMMAND")
    set sqlcomm .ActiveConnection = conn
    sqlcomm .CommandText = sqlStr
    set uID = sqlcomm .CreateParameter("@userID",3,1,,userID)
    sqlcomm .Parameters.Append uID
    set userRS = sqlcomm .Execute()
    Now i'm trying to use the LIKE "%%" and I don't know how to do it:
    Code:
    sqlStr = "SELECT * from tblUsers where lastname like '%?%'"
  2. #2
  3. No Profile Picture
    Registered User
    ASP Explorer (0 - 99 posts)

    Join Date
    Nov 2008
    Posts
    20
    Rep Power
    0
    Hi sparky753

    If u want select records with lastname starting with for e.g. say "as" then u will say,

    sqlStr="SELECT * FROM tblUsers WHERE lastname like 'as%' "

    If u want select records with lastname containing pattern say, "as" then

    sqlStr="SELECT * FROM tblUsers WHERE lastname like '%as%' "

    winash
  4. #3
  5. No Profile Picture
    Contributing User
    ASP Explorer (0 - 99 posts)

    Join Date
    Jan 2007
    Posts
    41
    Rep Power
    12
    Winash,

    Thanks for your response. I think you misunderstood my question. I know the standard SQL syntax for LIKE but how do i use it when I'm trying to prevent SQL injection. In ASP, you use a ? for a parameter that you append to a query....

    Thanks


    Originally Posted by winash
    Hi sparky753

    If u want select records with lastname starting with for e.g. say "as" then u will say,

    sqlStr="SELECT * FROM tblUsers WHERE lastname like 'as%' "

    If u want select records with lastname containing pattern say, "as" then

    sqlStr="SELECT * FROM tblUsers WHERE lastname like '%as%' "

    winash
  6. #4
  7. No Profile Picture
    Contributing User
    ASP Explorer (0 - 99 posts)

    Join Date
    Jan 2007
    Posts
    41
    Rep Power
    12
    Don't worry about this...I used a Stored Procedure to take care of it and it works...


    Originally Posted by sparky753
    Winash,

    Thanks for your response. I think you misunderstood my question. I know the standard SQL syntax for LIKE but how do i use it when I'm trying to prevent SQL injection. In ASP, you use a ? for a parameter that you append to a query....

    Thanks

Similar Threads

  1. Executing SQL
    By erickh in forum ASP Development
    Replies: 5
    Last Post: March 31st, 2006, 04:39 AM
  2. Sql to Asp Problem.
    By jheinzman in forum Programming Help
    Replies: 3
    Last Post: March 15th, 2005, 11:32 AM
  3. query AND/OR for textboxes
    By gilgalbiblewhee in forum ASP Development
    Replies: 1
    Last Post: February 4th, 2005, 07:39 PM
  4. Why does the SQL show error?
    By gilgalbiblewhee in forum ASP Development
    Replies: 3
    Last Post: October 14th, 2004, 11:10 PM
  5. search help
    By dev5 in forum ASP Development
    Replies: 18
    Last Post: March 5th, 2004, 11:07 AM

IMN logo majestic logo threadwatch logo seochat tools logo