asp和ms sql [英] asp and ms sql
问题描述
这是一个用ms sql创建的表:
创建表客户
(
CustomerID int IDENTITY,
FirstName varchar(25),
LastName varchar(25),
CompanyName varchar(25),
Phone int ,
电子邮件varchar(20),
密码varchar(20),
地址varchar(30),
Zip int,
StateID varchar(30),
City varchar(30),
CountryID varchar(30),
CustomerTypeID varchar(30),
会话varchar(30),
IP varchar(30),
LastUpdate Smalldatetime
)
这是在ms sql中创建的存储过程:
创建过程usp_InsertCustomer
@FirstName varchar(25),
@ LastName varchar(25),
@CompanyName varchar(25),
@Phone int ,
@Email varchar(20),
@Password varchar(20),
@Address varchar(30),
@Zip int,
@StateID var char(30),
@City varchar(30),
@CountryID varchar(30),
@CustomerTypeID int,
@IP varchar(20)
AS SET NOCOUNT ON
声明@sessionID AS UNIQUEIDENTIFIER
声明@ session AS varchar(255)
set @sessionID = NEWID()
set @session = convert(varchar(255),@ SessionID)
INSERT INTO客户
FirstName,LastName,CompanyName,电话,电子邮件,密码,地址,邮编,州ID,
City,CountryID ,CustomerTypeID,Session,IP,LastUpdat e
VALUES(@ FirstName,@ LastName,@ CompanyName,@ Phone,@ E mail,@ Password,@ Addres
s,@ Zip,@ StateID,@ City,@ CountryID,@ CustomerTypeID,@ session,@ IP,GETDATE())
在我的RegistrationExec.asp中,我有以下代码:
<! - #include file =" database_Function.asp" - >
<! - #include file =" string_Function.asp" - > ;
<! - #include file =" validateField_Functi on.asp">
<%
firstname = formatforDb(getUserInput(Request.Form(" textfield1" )))
lastname = formatforDb(getUserInput(Request.Form(" textfield2")))
companyname = formatforDb(getUserInput(Request.Form)" textfield3" )))
phone = formatforDb(getUserInput(Request.Form(" textfield4"))))
email = formatforDb(getUserInput(Request.Form)" textfield5" )))
password = formatforDb(getUserInput(Request.Form(" textfield6"))))
address = formatforDb(getUserInput(Request.Form)" textfield7" )))
zip = formatforDb(getUserInput(Request.Form(" textfield8")))
state = formatforDb(getUserInput(Request.Form(" select1" )))
otherstate = formatforDb(getUserInput(Request.Form(" textfield9")))
city = formatforDb(getUserInput(Request.Form(" textfield10") ;)))
country = formatforDb(getUserInput(Request.Form(" select2")))
if isLength(firstname)= false n
response.redirect" error_msg?msg =请填写第一个名字。
结束如果
if isLength(lastname)= false然后
response.redirect" error_msg?msg =请填写姓氏。
结束如果
if isLength(companyname)= false然后
response.redirect" error_msg?msg =请填写公司名称。
结束如果
if isLength(phone)= false然后
response.redirect" error_msg?msg =请填写电话号码。
结束如果
if isLength(email)= false则
response.redirect" error_msg?msg =请填写电子邮件地址。 ;
结束如果
如果isLength(密码)= false那么
response.redirect" error_msg?msg =请填写在密码中。
结束如果
if isLength(address)= false则
response.redirect" error_msg ?味精=请填写地址。
结束如果
如果isLength(zip)= false那么
response.redirect" error_msg?msg =请填写邮政编码。
结束如果
if(isLength(state)= true AND isLength(otherstate)= true )或者
(isLength(state)= false AND isLength(otherstate)= false)然后
response.redirect" error_msg?msg =请填写或选择州。
结束如果
如果isLength(city)= false那么
response.redirect" error_msg?msg =请填写这个城市。
结束如果
if isLength(country)= false那么
response.redirect ; error_msg?msg =请选择一个国家。
结束如果
如果isEmail(email)= false那么
response.redirect" error_msg?msg =您输入了一封无效的电子邮件
地址。
结束如果
if isZip(zip)= false然后
response.redi rect" error_msg?msg =您输入了无效的邮政编码。
结束如果
如果isPhone(phone)= false则
response.redirect" error_msg?msg =您输入了一个无效的手机
号码。
结束如果
Dim Temp
if isEmpty(state)then
Temp = otherstate
else
Temp = state
结束如果
mySQL =" EXECUTE usp_InsertCustomer @FirstName =''" &安培;名字&
"'',@ LastName =''" &安培;姓氏和",@公司名称=" &安培; companyname&
"'',@ Phone =''" &安培;电话& ",@电子邮件=" &安培;电子邮件& "'',@ Password =''" &
密码& ",@地址=" &安培;地址& ",@邮编=" &安培;拉链& "'',@ StateID =''"
& " KL" &安培; ",@市=" &安培;城市与城市",@ CountryID =" &安培; country&
"'',@ CustomerTypeID =" &安培; CInt(1)& ",@ IP =" &
Request.ServerVariables(" REMOTE_HOST")& "''"
调用updateDB(mySQL,rs)
rs.close()
CloseDB()
%>
我收到此错误:
错误类型:
用于SQL Server的Microsoft OLE DB提供程序(0x80040E57)
字符串或二进制数据将被截断。
/Mix/database_Function.asp,第15行
如何解决这个问题?
非常感谢您的帮助。
问候
Eugene Anthony
***通过开发人员指南 http发送://www.developersdex.com ***
This is a table created in ms sql:
create table customer
(
CustomerID int IDENTITY,
FirstName varchar(25),
LastName varchar(25),
CompanyName varchar(25),
Phone int,
Email varchar(20),
Password varchar(20),
Address varchar(30),
Zip int,
StateID varchar(30),
City varchar(30),
CountryID varchar(30),
CustomerTypeID varchar(30),
Session varchar(30),
IP varchar(30),
LastUpdate Smalldatetime
)
This is the stored procedure created in ms sql:
Create Procedure usp_InsertCustomer
@FirstName varchar(25),
@LastName varchar(25),
@CompanyName varchar(25),
@Phone int,
@Email varchar(20),
@Password varchar(20),
@Address varchar(30),
@Zip int,
@StateID varchar(30),
@City varchar(30),
@CountryID varchar(30),
@CustomerTypeID int,
@IP varchar(20)
AS SET NOCOUNT ON
Declare @sessionID AS UNIQUEIDENTIFIER
Declare @session AS varchar(255)
set @sessionID = NEWID()
set @session = convert(varchar(255),@SessionID)
INSERT INTO Customer
FirstName,LastName,CompanyName,Phone,Email,Passwor d,Address,Zip,StateID,
City,CountryID,CustomerTypeID,Session,IP,LastUpdat e
VALUES(@FirstName,@LastName,@CompanyName,@Phone,@E mail,@Password,@Addres
s,@Zip,@StateID,@City,@CountryID,@CustomerTypeID,@ session,@IP,GETDATE())
In my RegistrationExec.asp I have the following code:
<!--#include file="database_Function.asp"-->
<!--#include file="string_Function.asp"-->
<!--#include file="validateField_Function.asp"-->
<%
firstname = formatforDb(getUserInput(Request.Form("textfield1" )))
lastname = formatforDb(getUserInput(Request.Form("textfield2" )))
companyname = formatforDb(getUserInput(Request.Form("textfield3" )))
phone = formatforDb(getUserInput(Request.Form("textfield4" )))
email = formatforDb(getUserInput(Request.Form("textfield5" )))
password = formatforDb(getUserInput(Request.Form("textfield6" )))
address = formatforDb(getUserInput(Request.Form("textfield7" )))
zip = formatforDb(getUserInput(Request.Form("textfield8" )))
state = formatforDb(getUserInput(Request.Form("select1")))
otherstate = formatforDb(getUserInput(Request.Form("textfield9" )))
city = formatforDb(getUserInput(Request.Form("textfield10 ")))
country = formatforDb(getUserInput(Request.Form("select2")))
if isLength(firstname) = false then
response.redirect "error_msg?msg=Please fill in the first name."
end if
if isLength(lastname) = false then
response.redirect "error_msg?msg=Please fill in the last name."
end if
if isLength(companyname) = false then
response.redirect "error_msg?msg=Please fill in the company name."
end if
if isLength(phone) = false then
response.redirect "error_msg?msg=Please fill in the phone number."
end if
if isLength(email) = false then
response.redirect "error_msg?msg=Please fill in the email address."
end if
if isLength(password) = false then
response.redirect "error_msg?msg=Please fill in the password."
end if
if isLength(address) = false then
response.redirect "error_msg?msg=Please fill in the address."
end if
if isLength(zip) = false then
response.redirect "error_msg?msg=Please fill in the zip code."
end if
if (isLength(state) = true AND isLength(otherstate) = true) OR
(isLength(state) = false AND isLength(otherstate) = false) then
response.redirect "error_msg?msg=Please fill in or select a state."
end if
if isLength(city) = false then
response.redirect "error_msg?msg=Please fill in the city."
end if
if isLength(country) = false then
response.redirect "error_msg?msg=Please select a country."
end if
if isEmail(email) = false then
response.redirect "error_msg?msg=You have entered an invalid email
address."
end if
if isZip(zip) = false then
response.redirect "error_msg?msg=You have entered an invalid zip code."
end if
if isPhone(phone) = false then
response.redirect "error_msg?msg=You have entered an invalid phone
number."
end if
Dim Temp
if isEmpty(state) then
Temp = otherstate
else
Temp = state
end if
mySQL = "EXECUTE usp_InsertCustomer @FirstName=''" & firstname &
"'',@LastName=''" & lastname & "'',@CompanyName=''" & companyname &
"'',@Phone=''" & phone & "'',@Email=''" & email & "'',@Password =''" &
password & "'',@Address=''" & address & "'',@Zip=''" & zip & "'',@StateID=''"
& "kl" & "'',@City=''" & city & "'',@CountryID=''" & country &
"'',@CustomerTypeID=" & CInt(1) & ",@IP=''" &
Request.ServerVariables("REMOTE_HOST") & "''"
call updateDB(mySQL, rs)
rs.close()
CloseDB()
%>
I am getting this error:
Error Type:
Microsoft OLE DB Provider for SQL Server (0x80040E57)
String or binary data would be truncated.
/Mix/database_Function.asp, line 15
How do I solve this problem?.
Your help is kindly appreciated.
Regards
Eugene Anthony
*** Sent via Developersdex http://www.developersdex.com ***
推荐答案
On Sun,2005年7月10日06:50:16 -0700, Eugene Anthony
< so *********** @ yahoo.com>写道:
On Sun, 10 Jul 2005 06:50:16 -0700, Eugene Anthony
<so***********@yahoo.com> wrote:
我收到此错误:
错误类型:
用于SQL Server的Microsoft OLE DB提供程序(0x80040E57)
字符串或二进制数据将被截断。
/Mix/database_Function.asp,第15行
如何解决这个问题?。
I am getting this error:
Error Type:
Microsoft OLE DB Provider for SQL Server (0x80040E57)
String or binary data would be truncated.
/Mix/database_Function.asp, line 15
How do I solve this problem?.
尝试打破将代码分解为单个数据并运行您的SQL查询
。看起来输入的一个或多个数据比表中的字段允许的长b / b
。一旦你弄清楚哪个
字段,增加它的大小或减少允许的输入长度。
Jeff
Try breaking the code down into the individual data pieces and running
your SQL query. It looks like one or more pieces of data entered are
longer than the field in the table allows. Once you figure out which
field, increase its size or reduce the lenght of input allowed.
Jeff
Jeff已经告诉你如何找到你的问题,但我有几件事要
add。
你似乎有一些很好的验证功能,但是你需要修改它们
(至少是isLength一个)这样你就可以提供一个maxlength参数,
要么函数返回false,如果数据太长而不适合在te
字段中,或者将数据转换为最大长度,如果
,那就是你希望如何处理它。例如:
函数isLength(byref pData,pMaxLength)
dim datalength
datalength = len(pData)
如果datalength = 0那么
isLength = false
elseif datalength> pMaxlength然后
''或者:
''isLength = false
''或:
''pData = left(pData,pMaxLength)
''isLength = true
else
isLength = true
end if
更多信息:
Eugene Anthony写道:
Jeff has told you how to find your problem, but I have a couple things to
add.
You seem to have some good validation functions, but you need to revise them
(at least the isLength one) so that you can provide a maxlength argument,
either having the function return false if the data is too long to fit in te
field for which it is intended, or truncaqting the data to the max length if
that''s how you wish to handle it. For example:
function isLength(byref pData, pMaxLength)
dim datalength
datalength=len(pData)
if datalength = 0 then
isLength = false
elseif datalength > pMaxlength then
'' either:
'' isLength = false
'' or:
'' pData=left(pData,pMaxLength)
'' isLength = true
else
isLength = true
end if
More below:
Eugene Anthony wrote:
mySQL =" EXECUTE usp_InsertCustomer @姓= '' " &安培; firstname&
"'',@ LastName =''" &安培;姓氏和",@公司名称=" &安培; companyname&
"'',@ Phone =''" &安培;电话& ",@电子邮件=" &安培;电子邮件& "'',@ Password =''" &
密码& ",@地址=" &安培;地址& ",@邮编=" &安培; zip&
"'',@ StateID =''" &安培; " KL" &安培; ",@市=" &安培;城市与城市",@ CountryID =" &
country& ",@ CustomerTypeID = QUOT; &安培; CInt(1)& ",@ IP =" &
Request.ServerVariables(" REMOTE_HOST")& "''"
调用updateDB(mySQL,rs)
mySQL = "EXECUTE usp_InsertCustomer @FirstName=''" & firstname &
"'',@LastName=''" & lastname & "'',@CompanyName=''" & companyname &
"'',@Phone=''" & phone & "'',@Email=''" & email & "'',@Password =''" &
password & "'',@Address=''" & address & "'',@Zip=''" & zip &
"'',@StateID=''" & "kl" & "'',@City=''" & city & "'',@CountryID=''" &
country & "'',@CustomerTypeID=" & CInt(1) & ",@IP=''" &
Request.ServerVariables("REMOTE_HOST") & "''"
call updateDB(mySQL, rs)
与你的问题无关,但是......你为什么要使用
资源浪费记录集来执行不返回记录的查询?
我怀疑你是试图使用通用的自定义函数来运行所有
你的查询,无论他们是否返回记录,但是,有时候
函数可能过于通用。这是其中之一,特别是如果你关心保存服务器的资源
另外,通过使用动态sql而不是参数来执行你的存储
程序你是:
1.撤消使用存储的
程序所带来的性能优势
2.强迫自己执行额外的不必要的处理,以确保接受你的字符串数据
(formatforDb()函数)
3.让自己开放sql注入攻击:
http://mvp.unixwiz.net/ techtips / sql-injection.html
http ://www.sqlsecurity.com/DesktopDefault.aspx?tabid = 23
使用参数传递<更高效,更安全br />
存储过程的值。请参阅:
http://tinyurl.com/jyy0
Bob Barrows
-
Microsoft MVP - ASP / ASP.NET
请回复新闻组。这个电子邮件帐户是我的垃圾邮件陷阱所以我
不经常检查它。如果你必须离线回复,那么删除
NO SPAM
Nothing to do with your problem, but ... why are you using a
resource-wasting recordset to execute a query that does not return records?
I suspect you are attempting to use a generic custom function to run all of
your queries, whether they return records or not, but, there are times when
functions can be too generic. This is one of them, especially if you care
about conserving your server''s resources
Also, by using dynamic sql instead of parameters to execute your stored
procedure you are:
1. Undoing the performance benefits you gained from using the stored
procedure
2. Forcing yourself to do perform extra unnecessary processing to make sure
your string data will be accepted (the formatforDb() function)
3. Leaving yourself open to sql injection attack:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
It is much more efficient, as well as more secure, to use parameters to pass
values to a stored procedure. See:
http://tinyurl.com/jyy0
Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don''t check it very often. If you must reply off-line, then remove the
"NO SPAM"
这是我用来过滤语法的函数可以导致
sql注入:
<%
函数getUserInput(输入)
dim tempStr
tempStr = replace(输入," - ","")
tempStr = replace(input," ;;","")
tempStr = replace(input," SCRIPT"," scrip-t",1,-1,1)
getUserInput = tempStr
结束函数
函数formatforDb(输入)
dim tempStr
tempStr = replace(输入,'''",''''''")
tempStr = replace(输入,&,和)
formatforDb = tempStr
结束功能
%>
关于动态sql而不是参数你可以给我一个
更多信息,以便我可以对它进行研究。
问候
Eugene
***通过开发人员指南发送 http:// www.developersdex.com ***
This are functions which I am using to filter syntax that could lead to
sql injection:
<%
function getUserInput(input)
dim tempStr
tempStr = replace(input,"--","")
tempStr = replace(input,";","")
tempStr = replace(input,"SCRIPT","s-c-r-i-p-t",1,-1,1)
getUserInput = tempStr
end function
function formatforDb(input)
dim tempStr
tempStr = replace(input,"''","''''")
tempStr = replace(input,"&"," and ")
formatforDb = tempStr
end function
%>
In regards to "dynamic sql instead of parameters" could you give me a
little more info so that I can do a research on it.
Regards
Eugene
*** Sent via Developersdex http://www.developersdex.com ***
这篇关于asp和ms sql的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
