in classic asp, how do i pass a query string to a sql parameter?

Question

I'm working with some legacy code and need help creating a sql parameter and associating it with a query string.

val = request.querystring("number1")
sql = "select * from table where table.number = ' &val & "'"

How do i create a parameter to avoid sql injection?

Possible duplicate of [How to use ASP variables in SQL statement](http://stackoverflow.com/questions/20659972/how-to-use-asp-variables-in-sql-statement) — user692942, Apr 19 '16 at 09:01
Another example - http://stackoverflow.com/a/22037613/692942 — user692942, Apr 19 '16 at 09:03

score 2 · Answer 1 · edited May 23 '17 at 10:28

A quick solution - if your querystring value is numeric - is to use Cint() - which changes the querystring into an integer - eg

val = cint(request.querystring("number1"))
sql = "select * from table where table.number = " & val

If someone tries a sql injection by using a non numeric querystring value it will throw a type mismatch error and the database query will not be executed.

If you want to use something more complex than an integer then you should look at parameterised queries - there are plenty of questions on SO which deal with this, eg this one

Parameterized query in Classic Asp

in classic asp, how do i pass a query string to a sql parameter?

1 Answers1