I am creating one login validation page for my classic asp site(vbscript). as i want prevent my page from sql injection, i used parametrized queries in my page but i am unable to retrieve value after writing if "not recordset.eof" line. value is not passing. please help me to solve this issue. my code is below given.
Code:
<%
Dim Objrs, objConn, objCmd, str
Set objConn = Server.CreateObject("ADODB.Connection")
Set objCmd = Server.CreateObject("ADODB.Command")
Set Objrs = Server.CreateObject("ADODB.Recordset")
objConn.open MM_connDUdirectory_STRING '(already created)
Set objCmd.ActiveConnection = objConn
str = "SELECT * FROM admin WHERE Ausr=? AND Apwd=?"
objCmd.CommandText = str
objCmd.CommandType = adCmdText
dim objParam1, objParam2
Set objParam1 = objCmd.CreateParameter("param1", adVarChar, adParamInput, len(StrUserName), "")
objCmd.Parameters.Append objParam1
objCmd.Parameters("param1") = StrUserName
Set objParam2 = objCmd.CreateParameter("param2", adVarChar, adParamInput, len(StrPassword), "")
objCmd.Parameters.Append objParam2
objCmd.Parameters("param2") = StrPassword
set objRS = objCmd.execute
if objRS.EOF <> True and objRS.BOF <> True then
if Objrs("Ausr") = objCmd.Parameters("param1") then
response.Write(Objrs("Ausr"))
'response.Write should show username but its showing blank
end if
end if
%>