Hi all,

I inherited some old ASP code, that I found out recently might have be potential SQL injection problem.

I've looked through Google and the threads here, and I understand the concept of SQL injections, but I'm not sure how to change my own code to protect it from injections. I'm not very strong with ASP.

All of the examples I've seen have code which is protecting against injection threats when a user inputs data into a field. In my case, the ASP code displays records in a database table, but does not take any user inputs.

Code:
Dim sql, rs, item_number
item_number = Request.QueryString("product_id")

sql = "SELECT * FROM products WHERE product_id=" & item_number
Set rs = objConn.Execute(sql)

If rs.EOF Then 'if no records
	Response.Write("No record to display")
Else
%>
<p><%=rs("product_id") %></p>
<p><%=rs("product_title") %></p>
<p><%=rs("product_type") %></p>
<%
End if
%>
The product_id is passed through the URL from the previous page, such as http://www.website.com/products/index.asp?product_id=5

Will this code still be susceptible to SQL injections, even if I'm not accepting user inputs and just displaying records from a database, and if so, how can I guard against any potential injection threats?

Edit: Do I just change line 2 of the code from:
item_number = Request.QueryString("product_id")

to

item_number = CLng(Request.QueryString("product_id"))

Thank you very much for your time and help