How can I resolve SQL injection issue for order by
clause in the classic asp application?
Here is the demo code:
strSort=request("sort")
strSQL="select * from table1"
select case strSort
case "case1"
strSQL=strSQL & "order by " & strSort
case "case2"
strSQL=strSQL & "order by" & strSort
end select
This is worked for me, the connection object Conn comes from global.asa
<%
Dim Rs
Dim Sql
Dim TableName
Dim Cmd
Const adParamInput = 1
Const adVarChar = 200
Set Cmd = Server.CreateObject("ADODB.Command")
TableName = Request("table")
Sql = "select table_name from user_tables where upper(table_name) = upper(?) "
Cmd.ActiveConnection = Conn
Cmd.CommandText = Sql
Cmd.Parameters.Append cmd.CreateParameter("table_name", adVarChar, adParamInput, Len(TableName), TableName)
Set Rs = Cmd.Execute()
Do While Rs.EOF = False
Response.Write Rs("table_name") & "<br />"
Rs.MoveNext
Loop
Rs.Close
Set Rs = Nothing
%>