asp插入 [英] asp insert
问题描述
当我尝试删除记录时,下面的代码运行良好。但是当我尝试插入记录时,我会收到以下错误
-2147217900:INSERT INTO语句中的语法错误。我如何解决
问题?
<%
Sub GetData(sql)
on error resume next
set conn = server.CreateObject(" ADODB.Connection")
conn.connectionstring =" Provider = Microsoft.Jet.OLEDB。 4.0;数据
来源=" &安培; Server.MapPath(" /db/upload/stelladb.mdb")& " ;;"
conn.open
conn.execute(sql)
set conn = nothing
如果Err.number<> 0然后
Response.Write(Err.number&":"& Err.Description&"< br>")
end if
on Error goto 0
End Sub
如果request.queryString(" Action")= 1则
GetData" DELETE * FROM Account WHERE ID =" &
Request.QueryString(" ID")
结束如果
如果request.queryString(" Action" )= 2然后
username = request.form(" username")
password = request.form(" password")
GetData" INSERT INTO帐户(用户名,密码)VALUES(&"''"&
username&"'',''"& password& "'')"
结束如果
%>
Eugene Anthony
***通过开发人员指南 http://www.developersdex.com 发送* **
The code bellow functions well when I attemp to delete a record. But
when I attemp to insert a record I am getting the following error
-2147217900:Syntax error in INSERT INTO statement. How do I solve the
problem?.
<%
Sub GetData (sql)
on error resume next
set conn = server.CreateObject("ADODB.Connection")
conn.connectionstring = "Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=" & Server.MapPath("/db/upload/stelladb.mdb") & ";"
conn.open
conn.execute(sql)
set conn = nothing
if Err.number <> 0 then
Response.Write(Err.number & ":" & Err.Description & "<br>")
end if
on Error goto 0
End Sub
If request.queryString("Action") = 1 then
GetData "DELETE * FROM Account WHERE ID=" &
Request.QueryString("ID")
End if
If request.queryString("Action") = 2 then
username = request.form("username")
password = request.form("password")
GetData "INSERT INTO Account(Username,Password) VALUES(" & "''" &
username & "'',''" & password & "'')"
End if
%>
Eugene Anthony
*** Sent via Developersdex http://www.developersdex.com ***
推荐答案
" Eugene Anthony" <所以*********** @ yahoo.com>在消息中写道
news:uH ************** @ TK2MSFTNGP04.phx.gbl ...
"Eugene Anthony" <so***********@yahoo.com> wrote in message
news:uH**************@TK2MSFTNGP04.phx.gbl...
代码波纹管运行良好当我试图删除一条记录。但是当我尝试插入记录时,我收到以下错误
-2147217900:INSERT INTO语句中的语法错误。我如何解决
问题?
<%
Sub GetData(sql)
错误恢复下一步
设置conn = server.CreateObject (ADODB.Connection)
conn.connectionstring =" Provider = Microsoft.Jet.OLEDB.4.0; Data
Source =" &安培; Server.MapPath(" /db/upload/stelladb.mdb")& &;;"
conn.open
conn.execute(sql)
设置conn =无
如果Err.number<> 0然后
Response.Write(Err.number&":"& Err.Description&"< br>")
结束如果
出错,请转到0
End Sub
如果request.queryString(" Action")= 1则
GetData" DELETE * FROM Account WHERE ID =" &
Request.QueryString(" ID")
结束如果
如果request.queryString(" Action")= 2则
username = request。 form(" username")
password = request.form(" password")
GetData" INSERT INTO帐户(用户名,密码)VALUES(&"''"& ;
用户名&"'',''"&密码&"'')"
结束如果
VALUES(" ;&"''"& username&"'',''"& password&"'')"
什么是 &安培; " for ??
i会把它写成VALUES(''"& username&"'',''"& password&"'''
但我确信其他人可能有更好的方法来做这件事。
%>
Eugene Anthony >
***通过开发人员指南 http://www.developersdex.com 发送***
The code bellow functions well when I attemp to delete a record. But
when I attemp to insert a record I am getting the following error
-2147217900:Syntax error in INSERT INTO statement. How do I solve the
problem?.
<%
Sub GetData (sql)
on error resume next
set conn = server.CreateObject("ADODB.Connection")
conn.connectionstring = "Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=" & Server.MapPath("/db/upload/stelladb.mdb") & ";"
conn.open
conn.execute(sql)
set conn = nothing
if Err.number <> 0 then
Response.Write(Err.number & ":" & Err.Description & "<br>")
end if
on Error goto 0
End Sub
If request.queryString("Action") = 1 then
GetData "DELETE * FROM Account WHERE ID=" &
Request.QueryString("ID")
End if
If request.queryString("Action") = 2 then
username = request.form("username")
password = request.form("password")
GetData "INSERT INTO Account(Username,Password) VALUES(" & "''" &
username & "'',''" & password & "'')"
End if
VALUES(" & "''" & username & "'',''" & password & "'')" what is the " & " for??
i would write it VALUES(''" & username & "'', ''" & password & "'')
but i am sure that others may have an even better way to do it.
%>
Eugene Anthony
*** Sent via Developersdex http://www.developersdex.com ***
Eugene Anthony写道:
Eugene Anthony wrote:
当我尝试删除记录时,下面的代码功能很好。但是当我尝试插入记录时,我收到以下错误
-2147217900:INSERT INTO语句中的语法错误。我如何解决
问题?。
The code bellow functions well when I attemp to delete a record. But
when I attemp to insert a record I am getting the following error
-2147217900:Syntax error in INSERT INTO statement. How do I solve the
problem?.
第一步是告诉我们
$ b $中涉及的字段的数据类型b查询(文本?数字?日期/时间?)。
第二步是向我们展示sql语句......而不是,向我们展示
应该生成sql语句的vbscript代码与向我们显示生成的sql语句一样不是
。你需要将连接结果分配给变量和response.write
变量:
sql =" ; INSERT INTO帐户(用户名,密码)VALUES("& _
"''"& username&"'',''"& password&" ;'')"
''在完成调试时注释掉以下两行
''*************** *********
response.write sql
response.end
''******** ****************
GetData sql
我怀疑你的问题是由于使用了保留关键字,
" password"作为你的领域的名称。你真的应该更改
这个名字,但是,如果你不能,你需要记住在查询中使用它时将它括起来
[密码]:
sql =" INSERT INTO帐户(用户名,[密码])VALUES(& _
"''"& username &"'',''"& password&"'')"
需要考虑的其他要点:
您对动态sql的使用是让你容易受到使用sql的黑客攻击
注入:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
见这里使用
参数标记执行查询的更好,更安全的方法:
http://groups-beta.google.com/group/...e36562fee7804e
就个人而言,我更喜欢使用存储过程,或保存参数查询
作为
他们在Access中是众所周知的:
访问:
http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl
http://groups.google.com/groups?hl=e...tngp13.phx.gbl
-
Microsoft MVP - ASP / ASP.NET
请回复新闻组。我的From
标题中列出的电子邮件帐户是我的垃圾邮件陷阱,因此我不经常检查它。通过发布到新闻组,您将获得更快的回复。
The first step is to tell us the datatypes of the fields involved in the
query (Text? Number? Date/Time?).
The second step is to show us the sql statement ... and no, showing us
the vbscript code that is supposed to generate the sql statement is not
the same as showing us the resulting sql statement. You need to assign
the results of your concatenation to a variable and response.write the
variable:
sql="INSERT INTO Account(Username,Password) VALUES(" & _
"''" & username & "'',''" & password & "'')"
''comment out the following two lines when finished debugging
''************************
response.write sql
response.end
''************************
GetData sql
I suspect your problem is due to the use of a reserved keyword,
"password" as the name of your field. You really should change that
name, but, if you can''t, you will need to remember to bracket it
[password] when using it in your queries:
sql="INSERT INTO Account(Username,[Password]) VALUES(" & _
"''" & username & "'',''" & password & "'')"
Further points to consider:
Your use of dynamic sql is leaving you vulnerable to hackers using sql
injection:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
See here for a better, more secure way to execute your queries by using
parameter markers:
http://groups-beta.google.com/group/...e36562fee7804e
Personally, I prefer using stored procedures, or saved parameter queries
as
they are known in Access:
Access:
http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl
http://groups.google.com/groups?hl=e...tngp13.phx.gbl
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don''t check it very often. You will get a
quicker response by posting to the newsgroup.
这会解决问题吗?
<%
函数getUserInput(input,stringLength)
dim tempStr
tempStr = left(trim(输入) ),stringLength)
''由于数据库黑客威胁而被替换
tempStr = replace(tempStr," - ","")
tempStr = replace(tempStr," ;;","")
tempStr = replace(tempStr," SCRIPT"," scrip-t" ,1,-1,1)
getUserInput = tempStr
结束函数
函数formatForDb(输入)
dim tempStr
tempStr =输入
''替换以避免DB错误
tempStr = replace(tempStr, "''","''''")
tempStr = replace(tempStr,"&","和")
formatForDb = tempStr
结束功能
%& gt;
Eugene Anthony
***通过开发人员发送索引 http://www.developersdex.com ***
Will this solve the problem?
<%
function getUserInput(input,stringLength)
dim tempStr
tempStr = left(trim(input),stringLength)
'' replace due to DB hack threats
tempStr = replace(tempStr,"--","")
tempStr = replace(tempStr,";","")
tempStr = replace(tempStr,"SCRIPT","s-c-r-i-p-t",1,-1,1)
getUserInput = tempStr
end function
function formatForDb(input)
dim tempStr
tempStr=input
'' replace to avoid DB errors
tempStr = replace(tempStr,"''","''''")
tempStr = replace(tempStr,"&"," and ")
formatForDb = tempStr
end function
%>
Eugene Anthony
*** Sent via Developersdex http://www.developersdex.com ***
这篇关于asp插入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!