Reputation: 71
Do SQL Select Statements need to be parameterized in asp?
I have some SQL select statements listed below. Is there any reason to parameterize such queries? There are some written in asp and some in asp.net.
asp.net using sqldatasource control:
SelectCommand="SELECT * FROM HEADLINES WHERE visible = 'Yes' AND FIN = 'Yes' ORDER BY DATE DESC></asp:SqlDataSource>
One of the queries in asp classic using the ADO recordset object:
Set Season = Server.CreateObject("ADODB.Recordset")
Season.ActiveConnection = INTERNET_STRING
Season.Source = "SELECT * FROM SEASON WHERE SHOW_INDIC = Season_var
These queries don't accept user input but they are on the asp/aspx pages rather than the code behind, should I be worried about potential SQL injection or any other vulnerabilites? Thanks.
Upvotes: 0
Views: 103
Answers (1)
Reputation: 895
Parameterizing queries will eliminate SQL-injections. If you have variables in your query, your query is vulnerable. For more information: http://msdn.microsoft.com/en-us/library/ff648339.aspx
However, your first query is static, it has no variables. There is no reason for a static query to parameterize.
Your second query has variables, and therefor it should be parameterized.
Upvotes: 2
Related Questions
- Parameterizing sql in asp
- SQL Selecting without parameters?
- parameterized sql query - asp.net / c#
- basics of parameterized query
- Paramterising an SQL SELECT statement
- vb.net sql parameterization
- SQL parameters asp.net(vb.net)
- Parameterized Query Works but do I need the two lines?
- ASP/MySQL - Parameterized Query(s)
- SQL Parameter in dotNET