Using parameters when calling a recordset

[madanthrax]

Dear all,

I have inherited an old classic asp site (MS SQL 2005) that was fairly well secured against SQL injection and CSS using various techniques which I won't go into here. Recently there has been pressure from above to use parameters for extra protection. I researched and found solutions for INSERT and Recordset queries that finally now work, however most of the examples on asp/sql info sites did not work for me.
Parameters are generally well documented but I have trouble understanding whats going on security-wise, as an example here is my 'get the id of a just inserted record' script:

set objCommand = server.CreateObject("adodb.command")
objCommand.ActiveConnection = CONN_STRING
objCommand.CommandText = "SELECT ID FROM dbo.Folders  WHERE appName = ?  ORDER BY ID DESC"
objCommand.Parameters(0).value = valappName
set rsFolders = objCommand.Execute()

Now the above script works fine but its based on the example below found on the internet that I had to troubleshoot quite a bit to get to work:

set objCommand = server.CreateObject("adodb.command")
Set objCommand.ActiveConnection = objConn
objCommand.CommandText = "SELECT DISTINCT [field1] FROM [table1] WHERE field1 = ?"
objCommand.CommandType = 1
Set param1 = objCommand.CreateParameter ( "field1", 129,1,4)
param1.value = "ABCD"
objCommand.Parameters.Append param1
Set objRS = objCommand.Execute()

What worries me is the stuff I cut out. My line 'objCommand.Parameters(0).value = valappName' passes the value as a parameter but is it safe without the other stuff such as ( "field1", 129,1,4). I have read a lot about specifying data type etc but is this critical?

Any help or corrections to the code would be much appreciated.

Anthony.

_{"Nothing is impossible until proven otherwise"}​