如何在经典ASP中运行参数化的SQL查询?而且安全吗? [英] How do I run a parameterized SQL query in classic ASP? And is it secure?

问题描述

我将不得不处理经典ASP VBScript中的一些SQL代码.

I'm about to have to deal with some SQL code in classic ASP VBScript.

我有两个问题.

首先，在.net中，我习惯于使用System.Data.SqlClient命名空间对象执行查询.例如:

First, in .net, I'm used to using the System.Data.SqlClient namespace objects to perform queries. For example:

Dim conn as New SqlConnection("Data Source=MyServer;uid=myUid;pwd=myPwd;Initial Catalog=myDataBase;"  
Dim cmd as New SqlCommand("Select fname From myTable where uid=@uid;", conn)  
cmd.Parameters.add(New SqlParameter("@uid",100323)  
conn.open()
Response.Write(cmd.ExecuteScalar())
conn.Close()

有人告诉我，使用这样的参数化查询可以使我的查询免受SQL注入攻击的侵害.

I've been told that using a parameterized query as such makes my query secure from SQL injection attacks.

我想知道在具有VBScript的经典ASP中进行此类查询的等效代码是什么，以及必须使用哪些类似的安全预防措施来防止SQL注入.

I'd like to know what is the equivalent code to do such a query in classic ASP with VBScript and what similar security precautions must be used to guard against SQL injection.

推荐答案

有些ADODB对象基本上具有相同的作用. ADODB.Command对象等效于SqlCommand.从那里开始，它基本上与.NET中的功能相同.

There are ADODB Objects which do basically the same thing. ADODB.Command object is the equivalent to SqlCommand. From there it is basically doing the same as in .NET.

set cmd = Server.CreateOject("ADODB.Command")
cmd.CommandText = "select From Table where ID = @id")
set param = cmd.CreateParameter("@id", adInteger, adInput,0,0)

我经常使用 w3schools 来获得有关ADO对象的帮助.

I frequently use w3schools for help about ADO objects.

这篇关于如何在经典ASP中运行参数化的SQL查询?而且安全吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！