I have this which works:
sqlString = "SELECT * FROM employees WHERE lastname = '" & last_name & "'"
Set cmd = Server.CreateObject("ADODB.Command")
Set cmd.ActiveConnection = dbConn
cmd.CommandText = sqlString
cmd.Prepared = True
Set recs = cmd.Execute
The problem I have is that above the dynamic part of sqlString
is before the prepared statement command. I don't think what I have above is protecting me.
Don't I have to fix this sqlString before I do the prepared statement? Reading this made me think that: How can prepared statements protect from SQL injection attacks?:
"While in case of prepared statements we don't alter our program, it remains intact That's the point.
We are sending program to the server first
$db->prepare("SELECT * FROM users where id=?");
where the data is substituted by some variable called "placeholder" and then we're sending the data separately:
$db->execute($data);
so, it can't alter our program and do any harm. Quite simple - isn't it?"
But I don't know how to make my query correct. I also don't know how he got from prepare
to $data
. Was hoping for guidance. Thanks.