调用存储过程，返回值，经典ASP我缺少什么？

Question

My stored procedure:

CREATE PROCEDURE [dbo].[uspUserIsInGroup]
@username varchar(30),
@groupname varchar(30),
@ReturnCount int OUTPUT
    AS
    BEGIN
  SET NOCOUNT ON;

      SELECT @ReturnCount = count(*)
      FROM sys.database_role_members AS m
      INNER JOIN sys.database_principals AS dp
         ON m.member_principal_id = dp.principal_id
      INNER JOIN sys.server_principals AS l
         ON dp.[sid] = l.[sid]
      INNER JOIN sys.database_principals AS r
         ON m.role_principal_id = r.principal_id
      WHERE 1=1
      AND l.name = @username
      AND r.name = @groupname
  END

My asp code:

 Set cn = CreateObject("ADODB.Connection")
 Set cmd = CreateObject("ADODB.Command")
 cn.Open db
 Set cmd.ActiveConnection = cn
 cmd.CommandText = "uspUserIsInGroup"
 cmd.CommandType = 4 '4=adCmdStoredProc

 cmd.Parameters.Append cmd.CreateParameter("@username", 203, 1, 100, "peds\pss_admin")
 cmd.Parameters.Append cmd.CreateParameter("@groupname", 203, 1, 100, "rolePSS_admin")
 cmd.Parameters.Append cmd.CreateParameter("@ReturnCount", 200, 2, 255)
 cmd.Execute
 response.write "value returned is: " & cmd.Parameters(2).Value & "<br />"

I've tried:

 response.write "value returned is: " & cmd.Parameters(2).Value & "<br />"
 response.write "value returned is: " & cmd.Parameters(2) & "<br />"
 response.write "value returned is: " & cmd.Parameters("@ReturnCount").Value & "<br />"
 response.write "value returned is: " & cmd.Parameters("@ReturnCount") & "<br />"

I've tried with '@' and without. I've checked the permissions. In call cases I get '0', but the value should be 1.

Running a trace on SQL, this is what's being run:

declare @p3 int
set @p3=0
exec uspUserIsInGroup N'peds\pss_admin',N'rolePSS_admin',@p3 output
select @p3

Which does give a result of 1.

What am I doing wrong, what am I missing? Does it have any thing to do with the fact that when I run the code from the Trace, the result has "(No column name)"?

Thanks!

Answer 1

As discussed in the comments the result of your query can change according to the permissions of the logged in user.

You can use procedure signing if you don't want to grant the asp account the required permissions directly.

sys.database_principals states

Any user can see their own user name, the system users, and the fixed database roles. To see other users, requires ALTER ANY USER, or a permission on the user. To see user-defined roles, requires ALTER ANY ROLE, or membership in the role.

sys.database_role_members states

Any user can view their own role membership. To view other role memberships requires membership in the db_securityadmin fixed database role or VIEW DEFINITION on the database.

sys.server_principals states

Any login can see their own login name, the system logins, and the fixed server roles. To see other logins, requires ALTER ANY LOGIN, or a permission on the login. To see user-defined server roles, requires ALTER ANY SERVER ROLE, or membership in the role.

Answer 2

cmd.Parameters.Append cmd.CreateParameter("@username", 203, 1, 100, "peds\\pss_admin") cmd.Parameters.Append cmd.CreateParameter("@groupname", 203, 1, 100, "rolePSS_admin") cmd.Parameters.Append cmd.CreateParameter("@ReturnCount", 200, 2, 255)

-should be-

cmd.Parameters.Append cmd.CreateParameter("@username", adVarChar, adParamInput, 30, "peds\pss_admin")
cmd.Parameters.Append cmd.CreateParameter("@groupname", adVarChar, adParamInput, 30, "rolePSS_admin")
cmd.Parameters.Append cmd.CreateParameter("@ReturnCount",adInteger,adParamOutput)

where adInteger = 3, adParamOutput = 2, adVarChar = 200

so your statement output parameter using hard-coded numbers should read:

cmd.Parameters.Append cmd.CreateParameter("@ReturnCount", 3, 2)