How do I run a parameterized SQL query in classic ASP? And is it secure?

Question

I'm about to have to deal with some SQL code in classic ASP VBScript.

I have two questions.

First, in .net, I'm used to using the System.Data.SqlClient namespace objects to perform queries. For example:

Dim conn as New SqlConnection("Data Source=MyServer;uid=myUid;pwd=myPwd;Initial Catalog=myDataBase;"  
Dim cmd as New SqlCommand("Select fname From myTable where uid=@uid;", conn)  
cmd.Parameters.add(New SqlParameter("@uid",100323)  
conn.open()
Response.Write(cmd.ExecuteScalar())
conn.Close()

I've been told that using a parameterized query as such makes my query secure from SQL injection attacks.

I'd like to know what is the equivalent code to do such a query in classic ASP with VBScript and what similar security precautions must be used to guard against SQL injection.

Answer 1

http://support.microsoft.com/kb/200190

Answer 2

There are ADODB Objects which do basically the same thing. ADODB.Command object is the equivalent to SqlCommand. From there it is basically doing the same as in .NET.

set cmd = Server.CreateOject("ADODB.Command")
cmd.CommandText = "select From Table where ID = @id")
set param = cmd.CreateParameter("@id", adInteger, adInput,0,0)

I frequently use w3schools for help about ADO objects.