If you use Stored Procedure calls in your ASP pages this can't happen!! Manually creating SQL statements within ASP is poor design : not as efficient and secured as storing them in your database server (as stored procedures) and making a call to them without speaking of coding properly : you do you reuse these pieces of code?! Within product.asp dept_id is picked up and used to construct a SQL statement. "select a,b,c,d,e,f,g from table where dept_id = " & Request("Dept_ID") Further down the page a, b, c, d, e, f and g are response.writed to the page. Think about what happens if the URL above is modified to http://hostname/product.asp?dept_id=100000 union select credit_card_number,null,null,null,null,null, null from Credit_Card_table
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:35 PDT