It is necessary whenever you are writing a SQL query in your ASP code, to guard against SQL injection, here are examples to use when in production mode:
If the field dEmployeeNumber in the DB is *NOT* a number:
Code:
SQL = "SELECT tEmployeeNumber, tTopic, tDepartment, tTime FROM tblSurvey "
& " WHERE tEmployeeNumber='" & Replace(dEmployeeNumber,"'","''") & "'"
If it *IS* a number:
Code:
SQL = "SELECT tEmployeeNumber, tTopic, tDepartment, tTime FROM tblSurvey "
& " WHERE tEmployeeNumber=" & CLNG(dEmployeeNumber)
with proper credit to Bill W from 4guysfromrolla
No comments:
Post a Comment