value is not showing under recordset.eof using parameterized query in vbscript for my login page

Question

I am creating one login validation page for my classic asp site(vbscript). as I want prevent my page from SQL Injection, I used parametrized queries in my page but I am unable to retrieve value after writing if Not Recordset.EOF line. value is not passing. please help me to solve this issue. my code is below;

<%
Dim Objrs, objConn, objCmd, str

Set objConn = Server.CreateObject("ADODB.Connection")
Set objCmd  = Server.CreateObject("ADODB.Command")
Set Objrs   = Server.CreateObject("ADODB.Recordset")

objConn.open MM_connDUdirectory_STRING '(already created)

Set objCmd.ActiveConnection = objConn

str = "SELECT * FROM admin WHERE Ausr=? AND Apwd=?"

objCmd.CommandText = str
objCmd.CommandType = adCmdText

dim objParam1, objParam2
Set objParam1 = objCmd.CreateParameter("param1", adVarChar, adParamInput, len(StrUserName), "")
objCmd.Parameters.Append objParam1
objCmd.Parameters("param1") = StrUserName

Set objParam2 = objCmd.CreateParameter("param2", adVarChar, adParamInput, len(StrPassword), "")
objCmd.Parameters.Append objParam2
objCmd.Parameters("param2") = StrPassword
set objRS = objCmd.execute


'if objRS.EOF <> True and objRS.BOF <> True then
'if Objrs("Ausr") = objCmd.Parameters("param1") then
'response.Write(Objrs("Ausr"))
'response.Write should show username but its showing blank
'end if
'end if

'Do While Not objRS.EOF
'if Objrs("Ausr") = objCmd.Parameters("param1") then
'response.Write(Objrs("Ausr"))
'end if
'objRS.MoveNext 
'Loop 

If Not objRS.EOF Then
response.write("Granted access to the user:" & StrUserName)
end if
%>

I tried with If..End If as above but its showing same problem, the recordset(objrs) parametrized method is not executing. its show me blank page. code should check if user exist or not. Response.Write("Granted access to the user:" & StrUserName) should show me strusername value but its not showing and page is blank. please help me workout where I'm going wrong?

Answer 1

From i can see with you current code,you have 2 problems:

1. You have this condition if objRS.EOF <> True and objRS.BOF <> True then with this you are excluding the first and the last record from printing. Don't know why this is needed, but because you are not iterating over all the elements in your recordset (aka Rows). you will never see any record printed.

2. To overcome the problem #1 you need to enclose all the code in loop (for,while,do while) and use objRS.MoveNext() function in your recordset object to read all the records obtained in your Query.

this is all the problems that i can see with this limited context. I hope this helps.

More Information: Recordset Object Properties, Methods, and Events - MSDN

EDIT: Seeing the edit from OP in the code, and the goal that i think he want to achieve i suggest this code instead:

'Do While Not objRS.EOF'
   'if Objrs("Ausr") = objCmd.Parameters("param1") then'
      'response.Write(Objrs("Ausr"))'
   'end if'
   'objRS.MoveNext' 
'Loop'


If Not objRS.EOF Then
    response.write("Granted access to the user:" & StrUserName)
End if

I'm assuming that you want to check if a single user its logged in.

Answer 2

Debug; Check if you are passing the values to the parameters. Print out the values and see.

Response.write "StrUserName ="& StrUserName &"<br/>"
Response.write "StrPassword ="& StrPassword &"<br/>"
set objRS = objCmd.execute

Also, try passing in the values during creation of the parameter:

Set objParam1 = objCmd.CreateParameter("param1", adVarChar, adParamInput, len(StrUserName), StrUserName)

Answer 3

Actually after looking closer at your code there a few issues

Didn't notice it at first but looks as though your not setting the values correctly, there are two ways to do it;

Specify them during the CreateParameter() method

Call .Parameters.Append(.CreateParameter("param1", adVarChar, adParamInput, 50, StrUserName)
Call .Parameters.Append(.CreateParameter("param2", adVarChar, adParamInput, 50, StrPassword)

Specify after creation of the parameters

Call .Parameters.Append(.CreateParameter("param1", adVarChar, adParamInput, 50)
Call .Parameters.Append(.CreateParameter("param2", adVarChar, adParamInput, 50)

.Parameters("param1").Value = StrUserName
.Parameters("param2").Value = StrPassword

That present your setting the parameter object to a string, which won't give the expected result.

---

Give this a try;

<%
Dim objRS, objCmd, str

Set objCmd  = Server.CreateObject("ADODB.Command")
Set Objrs   = Server.CreateObject("ADODB.Recordset")

str = "SELECT * FROM admin WHERE Ausr=? AND Apwd=?"

With objCmd
  'No need to create ADODB.Connection as the ADODB.Command will do it 
  'for you if you pass the Connection string.
  .ActiveConnection = MM_connDUdirectory_STRING
  .CommandText = str
  .CommandType = adCmdText

  'Don't pass blank values, just specify the name, data type, 
  'direction and length.
  Call .Parameters.Append(.CreateParameter("param1", adVarChar, adParamInput, 50)
  Call .Parameters.Append(.CreateParameter("param2", adVarChar, adParamInput, 50)

  'If setting values after the CreateParameter() don't use blank strings in
  'the CreateParameter() call.
  .Parameters("param1").Value = StrUserName
  .Parameters("param2").Value = StrPassword
  Set objRS = .Execute()

  If Not objRS.EOF Then
    Call Response.Write("Granted access to the user:" & StrUserName)
  End If
End With
Set objCmd = Nothing
%>

---

Useful Links

• Using Stored Procedure in Classical ASP .. execute and get results - Show how to use ADODB.Command and also return a ADODB.Recordset and convert it to an Array .