Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here


Using parameters when calling a recordset

Using parameters when calling a recordset

Using parameters when calling a recordset

Dear all,

I have inherited an old classic asp site (MS SQL 2005) that was fairly well secured against SQL injection and CSS using various techniques which I won't go into here. Recently there has been pressure from above to use parameters for extra protection. I researched and found solutions for INSERT and Recordset queries that finally now work, however most of the examples on asp/sql info sites did not work for me.
Parameters are generally well documented but I have trouble understanding whats going on security-wise, as an example here is my 'get the id of a just inserted record' script:

CODE -->

set objCommand = server.CreateObject("adodb.command")
objCommand.ActiveConnection = CONN_STRING
objCommand.CommandText = "SELECT ID FROM dbo.Folders  WHERE appName = ?  ORDER BY ID DESC"
objCommand.Parameters(0).value = valappName
set rsFolders = objCommand.Execute() 

Now the above script works fine but its based on the example below found on the internet that I had to troubleshoot quite a bit to get to work:

CODE -->

set objCommand = server.CreateObject("adodb.command")
Set objCommand.ActiveConnection = objConn
objCommand.CommandText = "SELECT DISTINCT [field1] FROM [table1] WHERE field1 = ?"
objCommand.CommandType = 1
Set param1 = objCommand.CreateParameter ( "field1", 129,1,4)
param1.value = "ABCD"
objCommand.Parameters.Append param1
Set objRS = objCommand.Execute() 

What worries me is the stuff I cut out. My line 'objCommand.Parameters(0).value = valappName' passes the value as a parameter but is it safe without the other stuff such as ( "field1", 129,1,4). I have read a lot about specifying data type etc but is this critical?

Any help or corrections to the code would be much appreciated.


"Nothing is impossible until proven otherwise"

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close