Here we will introduce another way to prevent SQL injection attack in ASP, this method is not only applicable in ASP, in fact, in any language that uses ADO object model to interact with database, it may be more appropriate to say that the method of anti SQL injection based on ADO object model is accurate. All right, let's talk about the code.
Copy Code code as follows:
Dim Conn,cmd,pra
Set Conn=server.createobject ("Adodb.connection")
Conn. Open "..... ..." ' This omits the database connection Word
Set Cmd=server.createobject ("Adodb.command")
Set Pra=server.createobject ("ADODB. Parameter ")
Cmd. ActiveConnection = conn
Cmd.commandtext = "Update news set title=?" WHERE id =? "
Cmd.commandtype = adCmdText
Set pra = cmd. CreateParameter ("title", adVarWChar, adParamInput, 50, "1 ' 2 ' 3")
Cmd. Parameters.Append PRA
Set pra = cmd. CreateParameter ("id", adinteger, adParamInput,, 10)
Cmd. Parameters.Append PRA
Cmd. Execute
The ID field of the News table is an integer, the title field is nvarchar (50), and the result is to change the contents of the title field of the record in the News table ID field to 10 to "1 ' 2 ' 3"