Hello, i was task with the job to prevent sql injection to a website and this is what i come up with. the website is a search based where user keyin the words to search for its desired content. The code is working perfectly find when i test it by only accessing the db but when i try to link the querystring from the words in text box to the parameter value, nothing is display except an sql statement that does not show the value of the query string. This is my code
---connection to db already establish----
strSQL = "SELECT * FROM **** WHERE key = @word"
cmd.CommandText = strSQL
word=Request.QueryString("word")-----------This is not being passed to |
v
cmd.Parameters.Append cmd.CreateParameter("@word", 200, 1, 20, word)
Set rs = cmd.Execute()
Response.Write(strSQL) --> to display the full querystring according to the sql statement with parameter value shown, but the display shown to me
is : SELECT * FROM Document WHERE docID = @txt //the @txt is suppose to be the search word the user put in the text box.
Please help me, i have been trying to complete this for nearly 2 weeks.