Paramaterized SQL MS Access Get Recordset

When you build in-line SQL commands in a server side scripting language, such as ASP, and you use form input as part of the in-line SQL Command, you run the risk of SQL Injection. A malicious web user can try different combinations of input and can likely compromise your database, stealing data, by-passing logins and even deleting your data.

To avoid this, a web developer must

filter all input against a white list of allowed characters and must
use parameterized SQL (or prepared statements / stored procedures).

With ASP, you use ADODB and either an OLEDB or OBDC data connection to interact with MS Access databases. As the OLEDB driver is much, much faster it is the most common method.

Fortunately, ADODB and OLEDB allow you to use parameterized SQL statement with MS Access database files. [It gets better]

Number of Records: 1
ID	Company	Address	City	ST	ZipCode	Phone
2	The Boeing Company	100 N. Riverside Plaza	Chicago	IL	60606-1596	312-544-2000

<!--METADATA TYPE="typelib" uuid="00000205-0000-0010-8000-00AA006D2EA4" -->
<%
Dim conn, cmd, rs, command, param, companyID, item, htmlOut

' Did we POST the form?
if LCase(Request.ServerVariables("HTTP_METHOD")) = "post" then
    ' Not much in the way of filtering, but it will do for this example
    companyID = CInt(Request.Form("id"))
else 
    companyID = 1
end if

' a string with which we will create the HTML for a table to hold the results
htmlOut = ""

' Note the use of @id, that's the parameter
command = "SELECT id, company, type, address, address1, city, state, postalCode, phoneNumber "
command = command & "FROM companys WHERE (id = @id);"

Set cmd = Server.CreateObject("ADODB.Command")
Set conn = Server.CreateObject("ADODB.Connection")
Set rs = Server.CreateObject("ADODB.Recordset")

conn.open Application("examples")
Set cmd.ActiveConnection = conn

' This is where we tell ADODB what our parameter is, (an Integer), it's maximum allowed length
' and it's value, from out variable companyID
'
' Doing this means our value is only used as variable to compare against the ID column
' and can not be executed as in-line SQL
Set param = cmd.CreateParameter("id",adInteger,adParamInput,CLng(8),companyID)

' We must add our parameter to the command objects Parameters collection
cmd.Parameters.Append param

' We also must assign our SQL command to the ADODB command object.
cmd.CommandText = command

' Now we open a record set using the command object we prepared.
rs.Open cmd,,adOpenStatic

' From here down it is similar as any other data access method.
if NOT (rs.eof AND rs.eof) then
    htmlOut = "<table><thead><tr><td colspan="""& rs.fields.count &""">"
    htmlOut = htmlOut & "Number of Records:&nbsp;"& rs.recordcount 
    htmlOut = htmlOut & "</td></tr></thead><tbody><tr>"

    for each item in rs.fields
        htmlOut = htmlOut & "<td>"& item.name &"</td>"
    next
    htmlOut = htmlOut & "</tr><tr>"
    for each item in rs.fields
        htmlOut = htmlOut & "<td>"& item &"</td>"
    next
    htmlOut = htmlOut & "</tr></tbody></table>" 
end if

' clean up
rs.close
Set rs=nothing
conn.close
Set conn=nothing
Set param = nothing
Set cmd = nothing

Except where otherwise noted, this site, all content, and all source code and markup is licensed under a Creative Commons License Creative Commons License.

No part of this web site including all application code and examples may be used for commercial purposes without prior written permission from the author, Roderick W. Divilbiss of Overland Park, Kansas, United States of America.

How can you use parameterized SQL with ASP and MS Access?