I want to simply retrieve a single record from a database in a classic ASP page. The code below basically works, but there are a couple problems I need help solving:
1) I want to see if a record was returned or not. result is not Nothing, so the redirect at the bottom is never performed. contact.RecordCount always returns -1, so I apparently can't use that either. Oddly, trying to access RecordCount outside the function throws an "Object doesn't support this property or method: 'RecordCount'" error.
2) I've read about disconnected queries and have seen examples where the connection and command are closed and/or set to Nothing at the end of the function. Is there a definitive best practice on what I should do?
3) Will using a parameterized query fully protect me from SQL injection, or do I need to manually remove dangerous words and characters?
function GetContactByUsername(username)
Dim conn, command, param, contact
set conn = server.CreateObject("adodb.connection")
conn.Open Application("DatabaseConnectionString")
Set command = Server.CreateObject("ADODB.COMMAND")
set command.ActiveConnection = conn
command.CommandType = adCmdText
command.CommandText = "Select * from MY_DATABASE.dbo.Contact where Username = ?"
Set param = command.CreateParameter ("Username", adVarWChar, adParamInput, 50)
param.value = username
command.Parameters.Append param
Set contact = Server.CreateObject("ADODB.RECORDSET")
contact.Open command
Response.Write contact.RecordCount '' always -1
set GetContactByPurlCode = contact
end function
dim result
result = GetContactByUsername(Request.QueryString("username"))
if result is Nothing then '' never true
Response.Redirect "/notfound.asp"
end if
FirstName = Trim(result("FirstName"))
LastName = Trim(result("LastName "))
