How can I use an ADODB.CommandObject with ADODB.RecordSet?

newJohnmp

New Member
I am trying to make a Classic ASP/VBScript website more secure by making SQL statements parameterized.

I have the following function:\[code\]Function OpenUpdateableRS(strSQL) Dim rs Set rs = Server.CreateObject("ADODB.Recordset") rs.Open strSQL, cnDZ, adOpenKeyset, adLockPessimistic, adCmdText Set OpenUpdateableRS = rs Set rs = NothingEnd Function\[/code\]I intend to convert it to something like:\[code\]Function SecureOpenUpdateableRS(strSQL, strParam1, strParam2) Dim rs Dim cmdOB Set cmdOB = Server.CreateObject("ADODB.CommandObject") With cmdOB .ActiveConnection = cnDZ .CommandText = strSQL .Parameters(0).value = http://stackoverflow.com/questions/15678512/strParam1 .Parameters(0).value = strParam2 End With Set rs = Server.CreateObject("ADODB.Recordset") rs.Open cmdOB.Execute, , adOpenKeyset, adLockPessimistic Set SecureOpenUpdateableRS = rs Set rs = NothingEnd Function\[/code\]When I call the function with:
Set rs = SecureOpenUpdateableRS("SELECT CustID, LastActive, LoggedIn, SessionID FROM tblLogins WHERE EMail = ? AND PWord = ?", strEMail, strPassword)I get a "500 - Internal Server Error" which is probably because I disabled debugging on the server.
Any ideas on how I could make the original function more secure without breaking it?
 
Back
Top