Hello,
Would there be any use/benefit to using Server.HTMLEncode with parametized SQL? For example.
Should the parameters be changed to this to further sanitize the params;
Would there be any use/benefit to using Server.HTMLEncode with parametized SQL? For example.
Code:
Set conn = Server.CreateObject("ADODB.Connection")
conn.CursorLocation = adUseServer
conn.open cStr_TMD
Set cmd = Server.CreateObject("ADODB.Command")
cmd.ActiveConnection = conn
cmd.CommandText = "dbo.app_employeeselect"
cmd.CommandType = adCmdStoredProc
cmd.Parameters.Refresh
cmd.Parameters(1).Value=Request.QueryString("searchtype")
cmd.Parameters(2).Value=Request.QueryString("criteria")
Set rs = cmd.Execute
Should the parameters be changed to this to further sanitize the params;
Code:
cmd.Parameters(1).Value=Server.HTMLEncode(Request.QueryString("searchtype"))
cmd.Parameters(2).Value=Server.HTMLEncode(Request.QueryString("criteria"))