SQL query using a session variable.

I'm running a script in ASP and SQL Server 2005 and need to search a database table for some fields which have been created by a certain user. I have a session variable which is "Fullname" and
the following query string already written.

SQL = "SELECT item_name, internal_link, external_link, date_added FROM tbl_search WHERE added_by = session(Fullname) "

Annoyingly and as bloody usual with my coding I can't get it to work, and have tried numerous alternatives.

Can anyone help me please?!

Thanks

Thanks for the reply, i've just tried that and unfortunately it's pulling back only the results where the added_by column is empty now!

Stupid coding!

And then watch someone fill the fullname session variable with '; DROP TABLE tbl_search;

Read up on SQL injection. You'll be much better off parameterising this query. I.e. have the SQL static with WHERE added_by = ? and then set the parameter on the ADO object you're using to execute the query.

whoops yes missed the double quotes on the request session parameter

As mentioned, do look at avoiding SQL injection problems with "safe inserts"

SQL = "SELECT item_name, internal_link, external_link, date_added, added_by FROM tbl_search WHERE added_by = '" & Replace(session("Fullname"),"'","''") & "'"