Variable interpolation in ASP, ADO

Question

I am using a variable to interpolate in ASP, for this i have an vairable:

cid=Request.Form("customerID")  

and then,

rs.open "SELECT * FROM customers WHERE customerID='" & cid & "'",conn  

the above statement does not work.
while this works:

rs.open "SELECT * FROM customers WHERE customerID=1",conn  

can someone please help me???

Answer 1

you code is wide open for a SQL injection!!!

read about parametrized queries.

in your first SQL you have apostrophes (') which is bad if cid is a number