I want to just get one entry from the database on a classic ASP page. The code below basically works, but there are a few problems that I need to solve:
1) I want to see if the record was returned or not. resultdoesn't mean anything, so the redirect below is never performed. contact.RecordCountalways returns -1, so I apparently can't use it either. Oddly enough, when you try to access the RecordCount outside the function, "The object does not support this property or method is thrown: error" RecordCount ".
2) I read about disabled requests and saw examples when the connection and the command are closed and / or set to "Nothing" at the end of the function. Is there some good practice regarding what I should do?
3) Will using a parameterized query completely protect me from SQL injection, or do I need to manually delete dangerous words and characters?
function GetContactByUsername(username)
Dim conn, command, param, contact
set conn = server.CreateObject("adodb.connection")
conn.Open Application("DatabaseConnectionString")
Set command = Server.CreateObject("ADODB.COMMAND")
set command.ActiveConnection = conn
command.CommandType = adCmdText
command.CommandText = "Select * from MY_DATABASE.dbo.Contact where Username = ?"
Set param = command.CreateParameter ("Username", adVarWChar, adParamInput, 50)
param.value = username
command.Parameters.Append param
Set contact = Server.CreateObject("ADODB.RECORDSET")
contact.Open command
Response.Write contact.RecordCount '' always -1
set GetContactByPurlCode = contact
end function
dim result
result = GetContactByUsername(Request.QueryString("username"))
if result is Nothing then '' never true
Response.Redirect "/notfound.asp"
end if
FirstName = Trim(result("FirstName"))
LastName = Trim(result("LastName "))
source
share