<%@ Language=VBScript %>
<% option explicit %>
<%
set cnn = server.CreateObject("ADODB.Connection")
cnn.Open(ConnectionString)
strSQL = "exec uspSQLInsertString " & customerID & "," & contactID
dim result
result = cnn.Execute(strSQL)
cnn is nothing
%>
This is actually a bad use of ADO which allows a potential security threat using SQL Injection.
A more appropriate use of ADO in Classic ASP is as follows:
<%@ Language=VBScript %>
<% option explicit %>
<%
set cmd = Server.CreateObject("ADODB.Command")
cmd.ActiveConnection = ConnectionString
cmd.CommandText = "uspSQLInsertString"
cmd.CommandType = adCmdStoredProc
cmd.Parameters.Append(cmdInsert.CreateParameter("@date",
adDBDate, adParamInput, 6, cdate(Request.Form("hLive"))))
dim result
result = cmd.Execute()
set cmd = nothing
%>
This is a more appropriate way using parameterised queries.
No comments :
Post a Comment