使用SQL参数返回“参数类型错误". [英] Using SQL parameters returns "Arguments are of the wrong type"
问题描述
我在弄清楚如何编写经典的ASP查询以防止SQL注入时遇到麻烦.
I am having some trouble figuring out how to write classic ASP queries to prevent SQL injection.
我已经阅读了一些帖子,并提出了以下脚本;
I have read a few posts on it and have come up with the following script;
set cmd = server.createobject("ADODB.Command")
SQL = "Select * From tablename Where Email Like ? And Deleted=0"
cmd.ActiveConnection = conn
cmd.CommandText = qText
cmd.CommandType = adCmdText
cmd.CommandTimeout = 900
cmd.Parameters.Append cmd.CreateParameter("@name", adVarchar, adParamInput, 50, "%" & this.Form("email") & "%")
Set rs = cmd.Execute
每次运行它时,都会出现以下错误;
Every time i run it though, i am getting the following error;
ADODB.Command error '800a0bb9'
Arguments are of the wrong type, are out of acceptable range, or are in conflict with one another.
我已按照此处的说明进行操作 https://vikaskanani.wordpress.com/2012/05/07/classic-asp-sql-injection-prevention-by-using-query-parameter/
I have followed the instructions from here https://vikaskanani.wordpress.com/2012/05/07/classic-asp-sql-injection-prevention-by-using-query-parameter/
任何帮助弄清这一点的人将不胜感激.
Any help figuring this would be greatly appreciated.
推荐答案
adVarchar , adCmdText 和 adParamInput 是常量值,需要在可以使用之前定义.您可以通过多种方式进行此操作:
adVarchar, adCmdText and adParamInput are constant values that need to be defined before they can be used. There are a number of ways you can do this:
-
仅定义您手动需要的常量:
Define just the constants you require manually:
const adVarChar = 200
const adParamInput = &H0001
const adCmdText = &H0001
直接使用这些值(可读性/维护性较低,通常不建议这样做):
Use the values directly (this is less readable / maintable and generally not recommended):
cmd.Parameters.Append cmd.CreateParameter("@name", 200, &H0001, 50, "%" & this.Form("email") & "%")
包括一个 adovbs.inc ,该代码定义了一个方便的包含文件中的所有ADO常量:
Include a adovbs.inc which defines all of the ADO constants in a handy include file:
<!--#include virtual="/adovbs.inc"-->
adovbs.inc文件本身可以在网络上的许多地方下载(请确保对其进行快速扫描以检查其中是否包含讨厌的东西),
The adovbs.inc file itself is available for download in lots of places on the web (make sure you give it a quick scan to check it doesn't include anything nasty), the 4GuysFromRolla site being a popular one (download the .txt linked and rename it to .inc)
包括引用ADO TypeLib :
<!--metadata type="TypeLib" name="Microsoft ActiveX Data Objects 2.8 Library" uuid="{2A75196C-D9EB-4129-B803-931327F72D5C}" version="2.8"-->
这篇关于使用SQL参数返回“参数类型错误".的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
