ASP / Access - protecting from injections
I inherited some old ASP code, that I found out recently might have be potential SQL injection problem.
I've looked through Google and the threads here, and I understand the concept of SQL injections, but I'm not sure how to change my own code to protect it from injections. I'm not very strong with ASP.
All of the examples I've seen have code which is protecting against injection threats when a user inputs data into a field. In my case, the ASP code displays records in a database table, but does not take any user inputs.
The product_id is passed through the URL from the previous page, such as http://www.website.com/products/index.asp?product_id=5
Dim sql, rs, item_number
item_number = Request.QueryString("product_id")
sql = "SELECT * FROM products WHERE product_id=" & item_number
Set rs = objConn.Execute(sql)
If rs.EOF Then 'if no records
Response.Write("No record to display")
I've removed a lot of the styling and if statements from the code here, to make it easier to read through.
Will this code still be susceptible to SQL injections, even if I'm not accepting user inputs and just displaying records from a database, and if so, how can I guard against any potential injection threats?
Thank you very much for your time and help
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread