||If you are building data-driven Web pages that allow a user's input to directly affect the construction of a dynamic SQL string then, yes, you may be opening yourself up to a SQL Injection Attack.|
SQL Injection is the act of entering a particularly odd-looking string into a text box or querystring in order to have potentially malicious SQL code execute. For example, if you have an ASP page that accepts as a querystring parameter an ID field, and this ID field is then used to generate dynamic content, you may be in trouble. If your code looks like:
Dim p_lngID, objRS, strSQL
p_lngID = Request("ID")
strSQL = "SELECT * FROM tblArticles WHERE ID=" & p_lngID
Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.Open strSQL, "DSN=..."
If (Not objRS.EOF) Then Response.Write objRS("ArticleContent")
Set objRS = Nothing
A user may enter a querystring like:
1; DELETE FROM tblArticles (or some other malicious SQL statement). With the code presented above, the SQL will be executed and your database table deleted! In order to combat this particular problem, you would need to ensure that the passed in
ID is numeric, either by using the
IsNumeric function or casting the parameter to an integer or long (via
There are also other kinds of SQL Injection Attacks, which are detailed at: Protecting Yourself from SQL Injection Attacks. Read this article to learn more about SQL Injection, and what you can do to protect yourself.