How to handle SQL Statement when variable is on the column name
Posted on 2008-10-10
I have the following SQL statement within my ASP code. I am just auditing the code to stop SQL Injection vulnerabilities so I am taking the likes of this code and
puting it into a stored procedure and creating ADO parameteres where required.
But the variable for this SQL statement is on the table column rather than the value being the parameter..
What would be the best way to handle this within a stored procedure with security against SQL attacks being the main objective including how to pass the variable to the stored procedure too from my ASP.Net page.
Select * from tbl1 Where " & Request("frmSelection") & " = 1 Order By id asc