参数化查询中的 ASP 经典命名参数:必须声明标量变量 [英] ASP Classic Named Parameter in Paramaterized Query: Must declare the scalar variable
问题描述
我正在尝试在 ASP Classic 中编写参数化查询,但我开始觉得我在用头撞墙.我收到以下错误:
I'm trying to write a parameterized query in ASP Classic, and it's starting to feel like i'm beating my head against a wall. I'm getting the following error:
必须声明标量变量@something".
Must declare the scalar variable "@something".
我发誓这就是 hello 行的作用,但也许我遗漏了一些东西......
I would swear that is what the hello line does, but maybe i'm missing something...
<% OPTION EXPLICIT %>
<!-- #include file="../common/adovbs.inc" -->
<%
Response.Buffer=false
dim conn,connectionString,cmd,sql,rs,parm
connectionString = "Provider=SQLOLEDB.1;Integrated Security=SSPI;Data Source=.sqlexpress;Initial Catalog=stuff"
set conn = server.CreateObject("adodb.connection")
conn.Open(connectionString)
set cmd = server.CreateObject("adodb.command")
set cmd.ActiveConnection = conn
cmd.CommandType = adCmdText
cmd.CommandText = "select @something"
cmd.NamedParameters = true
cmd.Prepared = true
set parm = cmd.CreateParameter("@something",advarchar,adParamInput,255,"Hello")
call cmd.Parameters.append(parm)
set rs = cmd.Execute
if not rs.eof then
Response.Write rs(0)
end if
%>
推荐答案
以下是 MSDN 库文章中有关防止 SQL 注入攻击的一些示例代码.我找不到原始 URL,但谷歌搜索标题关键字(在 ASP 中防止 SQL 注入)应该可以让你足够快地到达那里.希望这个真实世界的例子有所帮助.
Here's some sample code from an MSDN Library article on preventing SQL injection attacks. I cannot find the original URL, but googling the title keywords (Preventing SQL Injections in ASP) should get you there quick enough. Hope this real-world example helps.
strCmd = "select title, description from books where author_name = ?"
Set objCommand.ActiveConnection = objConn
objCommand.CommandText = strCmd
objCommand.CommandType = adCmdText
Set param1 = objCommand.CreateParameter ("author", adWChar, adParamInput, 50)
param1.value = strAuthor
objCommand.Parameters.Append param1
Set objRS = objCommand.Execute()
请参阅 MSDN 上的以下页面,靠近底部,专门指命名参数.
See the following page on MSDN, near the bottom, referring specifically to named parameters.
这篇关于参数化查询中的 ASP 经典命名参数:必须声明标量变量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
