SQL query using a session variable.
Discussion
I'm running a script in ASP and SQL Server 2005 and need to search a database table for some fields which have been created by a certain user. I have a session variable which is "Fullname" and
the following query string already written.
SQL = "SELECT item_name, internal_link, external_link, date_added FROM tbl_search WHERE added_by = session(Fullname) "
Annoyingly and as bloody usual with my coding I can't get it to work, and have tried numerous alternatives.
Can anyone help me please?!
Thanks
the following query string already written.
SQL = "SELECT item_name, internal_link, external_link, date_added FROM tbl_search WHERE added_by = session(Fullname) "
Annoyingly and as bloody usual with my coding I can't get it to work, and have tried numerous alternatives.
Can anyone help me please?!
Thanks
And then watch someone fill the fullname session variable with '; DROP TABLE tbl_search;
Read up on SQL injection. You'll be much better off parameterising this query. I.e. have the SQL static with WHERE added_by = ? and then set the parameter on the ADO object you're using to execute the query.
Read up on SQL injection. You'll be much better off parameterising this query. I.e. have the SQL static with WHERE added_by = ? and then set the parameter on the ADO object you're using to execute the query.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff