I have a new dev/test environment that is in IIS 10 (with asp classic as api) and SQL Server 2016. Today, I noticed that some posts was doubling records in the database. Upon further review, the IIS logs only show one request, but SQL Trace shows 2 concurrent SQL:BatchCompleted traces for every call to the database using the unsecure
cn.execute "stored_procedure 'param1'"method, but any database call that is with a prepared statement only has one RPC:Completed hit in the trace and is performing like normal.
Our production environment has the same SQL version, but is still in IIS6, currently. I lost my dev IIS box with the same setup a couple weeks ago and hadn't noticed this before. About 90% of our API has been in use in production for over a decade without this happening, and it is not happening now.
I am a little new to IIS 10 as I have been maintaining the IIS6 environment this whole time, so perhaps I have configured something wrong, but other than enabling ASP classic and parent paths, I haven't modified much to get our legacy API running.
Sample of ASP that is causing double executions:
dim cn
dim dbConnectionString
dim SQL
dim rs
dbConnectionString = "Provider=SQLNCLI11;Server=srvr\instance;Database=DB;Uid=user;Pwd=pass;"
Set cn = Server.CreateObject("ADODB.Connection")
cn.open dbConnectionString
cn.CommandTimeout = 0
SQL = "store_procedure_name 'paramValue'"
set rs = server.CreateObject("ADODB.Recordset")
RS.Open SQL, cn, adOpenStatic, adLockReadOnly
Response.Write( rs(0) )
rs.Close
set rs = nothing
Response.endAnd using an ADODB prepared statement results in normal execution:
Dim cmd
Set cmd = Server.CreateObject("ADODB.Command")
With cmd
.ActiveConnection = cn
.CommandType = adCmdStoredProc
.CommandText = "StoredProcedureName"
.CommandTimeout = 0
End WithWhat am I missing that has been driving me insane all day? The majority of the API uses the less secure string method (I am aware of SQL injection, etc.) as we haven't been allotted the time to refactor to prepared statements. However, All new code is written with prepared statements.
I have even created a second site from scratch to see if it was a configuration setting - same thing is happening.