Tresiauritume
New Member
I'm trying to secure a older classic asp web site (that has about 1,000 (.asp) pages) using MS SQL 2008 R2 (Express Edition).I found a code (see below) on how to Parameterized Queries and the code looks to be the easiest for me to understand and use on all of the pages that need to be changed.My question is: If I was to convert all of the ms sql queries (that will look something like the code below) will that be enough to protect against an ms sql injection attack ? or is there more that I will need to add/change ? Thanks for any help...HERE IS THE CODE:\[code\] set objCommand = Server.CreateObject("ADODB.Command") strSql = "SELECT * FROM users WHERE username=? AND password=?" ... cmd1.Parameters(0) = Request.Form("login") cmd1.Parameters(1) = Request.Form("password") ... \[/code\]