Simple query with ADO and Classic ASP

I want to simply retrieve a single record from a database in a classic ASP page. The code below basically works, but there are a couple problems I need help solving:

1) I want to see if a record was returned or not. result is not Nothing, so the redirect at the bottom is never performed. contact.RecordCount always returns -1, so I apparently can't use that either. Oddly, trying to access RecordCount outside the function throws an "Object doesn't support this property or method: 'RecordCount'" error.

2) I've read about disconnected queries and have seen exampl开发者_如何学编程es where the connection and command are closed and/or set to Nothing at the end of the function. Is there a definitive best practice on what I should do?

3) Will using a parameterized query fully protect me from SQL injection, or do I need to manually remove dangerous words and characters?

function GetContactByUsername(username)
    Dim conn, command, param, contact
    set conn = server.CreateObject("adodb.connection")
    conn.Open Application("DatabaseConnectionString")

    Set command = Server.CreateObject("ADODB.COMMAND")
    set command.ActiveConnection = conn
    command.CommandType = adCmdText
    command.CommandText = "Select * from MY_DATABASE.dbo.Contact where Username = ?"

    Set param = command.CreateParameter ("Username", adVarWChar, adParamInput, 50)
    param.value = username
    command.Parameters.Append param 

    Set contact = Server.CreateObject("ADODB.RECORDSET")

    contact.Open command

    Response.Write contact.RecordCount   '' always -1

    set GetContactByPurlCode = contact
end function

dim result
result = GetContactByUsername(Request.QueryString("username"))

if result is Nothing then     '' never true
    Response.Redirect "/notfound.asp"
end if

FirstName = Trim(result("FirstName"))
LastName = Trim(result("LastName "))

1) To check for a lack of records, use rs.EOF, not "Is Nothing." The RecordSet object is always an object. It's just that sometimes it doesn't have any rows.

If you want to use RecordCount but are getting -1, then switch to a client-side cursor (adUseClient).

2) No definitive best-practice here, but I've personally always closed the Connection and Command, and have not had much in the way of performance problems. Connection objects are particularly precious, so close them as early as possible on high volume pages.

3) Yes, parameterizing your variable is perfect, unless you are calling a stored procedure that constructs a dynamic query.

By the way, you should avoid "SELECT *" as that will cause you to return more data than needed and is a maintenance problem waiting to happen.