I am trying to modify my existing SQL statement in opening a table with a parameter. I read somewhere that a prepared statment will prevent SQL injection. Below is as far as I was able to go in my research. I am also updating a record. When I run the program I ger an error message:
ADODB.Recordseterror '800a0cb3'Current Recordset does not support updating. This may be a limitation of the provider, or of the selected locktype
The code is :
Set objCmd = Server.CreateObject("ADODB.command")
set rsUsers = Server.CreateObject("ADODB.Recordset")
objCmd.ActiveConnection = objConn
objCmd.CommandType = adCmdText
objCmd.CommandText = "SELECT * FROM Member WHERE SSN = ?"
objCmd.Parameters.Append(objCmd.CreateParameter("@SSN", adChar, adParamInput, Len(strSSN), strSSN))
rsUsers.CursorType = adOpenKeyset
rsUsers.LockType = adLockOptimistic
rsUsers.Open = objCmd.Execute()
I am not even sure if my code above is how a prepared statement should look like.
Please anyone, please point me to the right direction or help me with my code above.