Expand|Select|Wrap|Line Numbers
- set commandObj = Server.CreateObject("ADODB.Connection")
- set rs = Server.CreateObject("ADODB.Recordset")
- commandObj.ConnectionString = myGenericConnectionString
- commandObj.Open
- sqlCMD ="INSERT INTO myTable (item,cost) VALUES ('" & request.Form.Item("txtMyHTML_Field1") & "' , " & request.Form.Item("txtMyHTML_Field2") & " ;"
- rs = commandObj.execute(sqlCMD )
Expand|Select|Wrap|Line Numbers
- set commandObj = Server.CreateObject("ADODB.Connection")
- set rs = Server.CreateObject("ADODB.Recordset")
- commandObj.ConnectionString = myGenericConnectionString
- commandObj.Open
- rs.Open "[myTable]",commandObj,2,2
- rs.AddNew
- rs.Fields("item") = request.Form.Item("txtMyHTML_Field1")
- rs.Fields("cost") = request.Form.Item("txtMyHTML_Field2")
- rs.update
My theory is that the above statement is not vulnerable to injection, regardless of the input field value, because the values are stored directly to the field without using dangerous risky string concatenation.
Am I right?