1

I'm writing a quick website in ASP (classic) Javascript.

I'm using a prepared statement with a parameter. Nothing special.

My question is do I need to sanitise the input to the parameter (if so, are there any native functions for this like in PHP?), or does the fact I'm using a parameter rather than concatenating inline SQL make me safe?

//Set up the command to run the GetMigrationDate stored procedure.
var command = new ActiveXObject("ADODB.Command");
command.CommandText = "exec myStoredProc ?";

//Set up parameters
command.Parameters.Append(command.CreateParameter("name", 200, 1, 255));
command.Parameters("name") = name;

//Set up result recordset
var results = new ActiveXObject("ADODB.Recordset");

//Run command
results.open(command);

[Edit] The stored proc is something like this:

@name varchar(255)

select * from customers where name = @name
ChristianLinnell
  • 1,368
  • 2
  • 16
  • 22

2 Answers2

7

Your stored procedure is using bind variables and is not building a SQL statement from the parameters you're passing in so you don't need to sanitize your parameters in order to avoid SQL injection.

In other circumstances, you may want to sanitize them for other reasons (say, if "name" is something that is displayed and you want to avoid an attack where someone types in a small Javascript program to a field that then gets displayed back). Normally, that would be taken care of in the code that actually renders the field but ensuring that you're not storing rogue Javascript in the database is a good backup.

Justin Cave
  • 227,342
  • 24
  • 367
  • 384
0

Sanitizing is done when building a Sql Statement and mainly when the parameters are given from the user (outside).

RaulZahan
  • 103
  • 1
  • 1
  • 8