SQL Injection - ASP with MS IIS and MS Access DB - Microsoft IIS Web Server and ASP.NET forum at WebmasterWorld

I have an old site and only know enough classic asp to be dangerous. The login is vulnerable to SQL Injection with this code:
'********************************************************************
'---- Check the omUser table for an admin login
SQL="SELECT uName FROM omUser WHERE uUser='" & trim(Name) & "' AND uPass='" & trim(Pass) & "' AND uLevel='Admin' AND uStatus='Active'"
'rw SQL
rs1.Open SQL,cn,1,2
IF NOT rs1.EOF THEN
Session("ALogin")="Y"
Session("AdminName")=rs1("uName")
END IF
rs1.Close
'********************************************************************
Can anyone tell me what I should write to protect against injection?
I got this from another post, but don't know how to integrate it into my code:

Public Function sqlEncode(sText)
sqlEncode = Replace(sText,"'","''")
End Function

Public Function sqlWriteTextWNull(sText)
If IsNull(sText) Then
sqlWriteTextWNull = "NULL"
ElseIf sText = "" Then
sqlWriteTextWNull = "NULL"
Else sqlWriteTextWNull = "'" & sqlEncode(sText) & "'"
End If
End Function

Public Function sqlWriteNumberWNull(vNumber)
If IsNull(vNumber) Then
sqlWriteNumberWNull = "NULL"
ElseIf IsNumeric(vNumber) Then
sqlWriteNumberWNull = CStr(vNumber)
Else sqlWriteNumberWNull = "NULL"
End If
End Function

Public Function sqlWriteDateWNull(vDate)
If IsNull(vDate) Then
sqlWriteDateWNull = "NULL"
ElseIf IsDate(vDate) Then
sqlWriteDateWNull = "'" & sqlEncode(CStr(vDate)) & "'"
Else sqlWriteDateWNull = "NULL"
End If
End Function

Public Function sqlWriteBooleanWNull(vValue)
If IsNull(vValue) Then
sqlWriteBooleanWNull = "NULL"
ElseIf CBool(vValue) Then
sqlWriteBooleanWNull = 1
Else sqlWriteBooleanWNull = 0
End If
End Function

Help!
...dumb and dumber

SQL Injection - ASP with MS IIS and MS Access DB

Help! I'm spreadeagled and vulnerable!

TabooLeather

Arno_Adams

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week