VB变量和SQL查询 [英] VB Variables and SQL Queries
问题描述
您好
如何将包含数据的变量传递给SQL查询。这是我的查询
SELECT trn_date AS`Transaction Date`,item AS` Item Number ,键入AS
`策略类型`,pol AS`策略编号`,`desc` AS描述,是AS金额,
rec AS`客户#`,名称AS名称,attn AS注意,
街道AS街,城市AS城市,AS AS州,邮政编码AS ZIP
FROM invoice
ORDER BY rec
我想插入一个WHERE子句,WHERE INVOICE.REC =" custID" with custID
是用户输入文本字段的字符串变量。我知道一点关于参数查询和SQL的一点点b / b,当它来到VB时,我又是一个菜鸟。如果有人可以指出我正确的方向,那将是很好的。
感谢所有人的帮助,这是一个很好的帮助。希望我
可以在未来几天贡献一些。
john
< blockquote>嗨John,
其中custid =''" &安培; Custvar& chr(39)
HTH,
Bernie Yaeger
" John Wildes" <无***** @ spamthis.com>在消息中写道
news:%2 **************** @ TK2MSFTNGP12.phx.gbl ...
Hello
如何将包含数据的变量传递给SQL查询。这是我的
查询SELECT trn_date AS`Transaction Date`,item AS`Stems Number`,类型AS
`Policy Type`, pol AS政策编号,`desc` AS描述,am $ AS
金额,rec AS`客户#`,名称AS名称,attn AS
注意,街道AS街,城市AS城市,st AS状态,邮政编码AS ZIP
FROM invoice
ORDER BY rec
我想插入一个WHERE子句,WHERE INVOICE.REC =" custID" custID
是用户输入文本字段的字符串变量。我知道关于参数查询和SQL的一点点,当它来到VB时我又是一个菜鸟。如果有人能指出我正确的方向,那将是非常好的。
感谢你们所有的帮助,这是一个很好的帮助。希望
我可以在未来的日子里贡献一些。
john
" John Wildes" <无***** @ spamthis.com>写道......
我想插入一个WHERE子句,WHERE INVOICE.REC =" custID" custID
是用户输入文本字段的字符串变量。我知道关于参数查询和SQL的一点点,当它来到VB时我又是一个菜鸟。如果有人能指出我正确的方向,那将是非常好的。
约翰...如果你还没有养成坏习惯......你也可以不用现在开始使用
:-)一般来说,构建SQL
查询的连接方法是不赞成的,因为(在错误的地方使用...并且它并不是很明显的地方。这会使你的数据库通过一个称为SQL注入的过程打开你的恶意软件恶作剧。
除非你非常小心检查输入,否则有人可以输入额外的
SQL代码,这些代码将与你的服务器一起传递到服务器......
也可以从一开始就使用参数(或存储过程),
Tom
嗨Tom,
原谅我,但这和我所看到的一样偏执。必须有数百名黑客在等待John犯错!
认真 - 将变量传递给sql字符串,因为我演示了不是
只是常见但实用。
伯尼
汤姆莱兰 < ge*@iamtiredofspam.com>在消息中写道
news:uy ************** @ TK2MSFTNGP12.phx.gbl ..." John Wildes" <无***** @ spamthis.com>写道......
我想插入一个WHERE子句,WHERE INVOICE.REC =" custID"
custID是用户输入文本字段的字符串变量。我知道
有点关于参数查询和SQL,当
它来到VB时我又是一个菜鸟。如果有人可以指出我正确的方向,那将是很好的。
约翰......如果你还没有养成坏习惯......你也可以不开始现在开始:-)一般来说,建立一个
SQL查询的连接方法是不赞成的,因为(在错误的地方使用......并且它并不总是显而易见的这些地方是这样的)它通过一个称为SQL注入的过程打开你的数据库恶意恶作剧。
除非你非常小心检查输入,否则有人可以输入
其他SQL代码将与你的服务器一起传递给服务器...
也可以从一开始就使用参数(或存储过程),
Tom
Hello
How do I pass a variable containing data to an SQL Query. Here is my query
SELECT trn_date AS `Transaction Date`, item AS `Item Number`, type AS
`Policy Type`, pol AS `Policy Number`, `desc` AS Description, amt AS Amount,
rec AS `Customer #`, name AS Name, attn AS Attention,
street AS Street, city AS City, st AS State, zipcode AS ZIP
FROM invoice
ORDER BY rec
I''d like to insert a WHERE clause, WHERE INVOICE.REC="custID" with custID
being a string variable that the user enters into a text field. I know a
little bit about parameter queries and SQL, and again I am a noob when it
comes to VB. If someone can point me in the right direction that would be
great.
Thanks for all the help you guys have been this, is a great ng. Hopefully I
can contribute some in the days ahead.
john
Hi John,
where custid = ''" & custvar & chr(39)
HTH,
Bernie Yaeger
"John Wildes" <no*****@spamthis.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...Hello
How do I pass a variable containing data to an SQL Query. Here is my querySELECT trn_date AS `Transaction Date`, item AS `Item Number`, type AS
`Policy Type`, pol AS `Policy Number`, `desc` AS Description, amt AS Amount, rec AS `Customer #`, name AS Name, attn AS Attention, street AS Street, city AS City, st AS State, zipcode AS ZIP
FROM invoice
ORDER BY rec
I''d like to insert a WHERE clause, WHERE INVOICE.REC="custID" with custID
being a string variable that the user enters into a text field. I know a
little bit about parameter queries and SQL, and again I am a noob when it
comes to VB. If someone can point me in the right direction that would be
great.
Thanks for all the help you guys have been this, is a great ng. Hopefully
I can contribute some in the days ahead.
john
"John Wildes" <no*****@spamthis.com> wrote...
I''d like to insert a WHERE clause, WHERE INVOICE.REC="custID" with custID
being a string variable that the user enters into a text field. I know a
little bit about parameter queries and SQL, and again I am a noob when it
comes to VB. If someone can point me in the right direction that would be
great.
John... if you haven''t already developed bad habits... you may as well not
start now :-) Generally speaking the concatenation method of building a SQL
query is frowned upon because (used in the wrong places... and it isn''t
always obvious where those places are) it opens your database to malicious
mischief through a process known as SQL Injection.
Unless you are very careful to check the input somebody can enter additional
SQL code which will pass along to the server with yours...
May as well use parameters (or stored procedures) from the start,
Tom
Hi Tom,
Forgive me, but that is about as paranoid as I''ve seen. There must be
hundreds of hackers out there just waiting for John to make a mistake!
Get serious - passing a variable to the sql string as I demonstrated is not
only common but practical.
Bernie
"Tom Leylan" <ge*@iamtiredofspam.com> wrote in message
news:uy**************@TK2MSFTNGP12.phx.gbl..."John Wildes" <no*****@spamthis.com> wrote...I''d like to insert a WHERE clause, WHERE INVOICE.REC="custID" with custID being a string variable that the user enters into a text field. I know a little bit about parameter queries and SQL, and again I am a noob when it comes to VB. If someone can point me in the right direction that would be great.
John... if you haven''t already developed bad habits... you may as well not
start now :-) Generally speaking the concatenation method of building a
SQL query is frowned upon because (used in the wrong places... and it isn''t
always obvious where those places are) it opens your database to malicious
mischief through a process known as SQL Injection.
Unless you are very careful to check the input somebody can enter additional SQL code which will pass along to the server with yours...
May as well use parameters (or stored procedures) from the start,
Tom
这篇关于VB变量和SQL查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
