ASP经典 - 记录集对象与Command对象 [英] ASP Classic - Recordset Object vs. Command Object

问题描述

我使用ASP经典和SQL Server 2000创建动态的网站。

I am using ASP Classic and SQL Server 2000 to create dynamic websites.

我有点困惑时使用一个记录集对象以及何时查询数据库时，使用命令对象。

I am a bit confused about when to use a recordset object and when to use a command object when querying the database.

有人告诉我，如果存储过程会从SELCT语句，返回记录的话，我应该用一个记录，但是如果我了更新或插入那么我应该使用一个命令对象，然后将所有的数据作为参数传递给存储流程。

I was told that if the stored procedure would be returning records from a SELCT statement then I should use a recordset, however if I am up updating or inserting then I should use a command object and pass all data as parameters to the stored procedure.

在使用记录我经常传递任何所需的数据，像这样：

When using a recordset I often pass any required data like so:

rs.Source = "spTest "   & id

我送花儿给人验证我传递，以确保数据是什么，我期待并把它转换为它的正确的类型。

I alway validate the data that I am passing to make sure it is what I am expecting and cast it to its correct type.

因为我已经被告知然而，上述方法离开我的code打开SQL注入攻击，我应该一直使用命令对象。

I have since been told however that the above method leaves my code open to SQL Injection attacks and that I should always use a command object.

这是正确的？

感谢

推荐答案

是的，这是正确的。

想象一下，有人传递字符串：0;删除*从用户;

Imagine someone passing the string: '0; delete * from users;'

您查询随后将是：

spTest 0; delete * from users;

如果你很幸运，你将不会有一个用户表。就个人而言，我会用命令对象的所有时间的一致性。你可以让你从它需要的一切。

If you're lucky you won't have a users table. Personally, I would use the command object all the time for consistency. You can get everything you need from it.

下面是如何可以用该命令对象做一个简单的例子：

Here is a quick example of how you might do it with the command object:

    Dim oStoredProc : Set oStoredProc = Server.CreateObject("ADODB.Command")

    With oStoredProc
        .ActiveConnection = oDBConnection
        .CommandType = adCmdStoredProc
        .CommandText = "up_procname"
        .Parameters.Append(.CreateParameter("@Param1", ADODB.adInteger, ADODB.adParamInput, 22, 11))
        .Parameters.Append(.CreateParameter("@Param2", ADODB.adInteger, ADODB.adParamOutput, 22, 12)

        Call .Execute()

        myVal = .Parameters("@Param2")
    End With

    Set oStoredProc = Nothing

这篇关于ASP经典 - 记录集对象与Command对象的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！