如何在经典 ASP 中运行参数化 SQL 查询?它安全吗? [英] How do I run a parameterized SQL query in classic ASP? And is it secure?

问题描述

我将不得不处理一些经典 ASP VBScript 中的 SQL 代码.

I'm about to have to deal with some SQL code in classic ASP VBScript.

我有两个问题.

首先，在 .net 中，我习惯于使用 System.Data.SqlClient 命名空间对象来执行查询.例如:

First, in .net, I'm used to using the System.Data.SqlClient namespace objects to perform queries. For example:

Dim conn as New SqlConnection("Data Source=MyServer;uid=myUid;pwd=myPwd;Initial Catalog=myDataBase;"  
Dim cmd as New SqlCommand("Select fname From myTable where uid=@uid;", conn)  
cmd.Parameters.add(New SqlParameter("@uid",100323)  
conn.open()
Response.Write(cmd.ExecuteScalar())
conn.Close()

有人告诉我，使用参数化查询可以使我的查询免受 SQL 注入攻击.

I've been told that using a parameterized query as such makes my query secure from SQL injection attacks.

我想知道在经典 ASP 中使用 VBScript 执行此类查询的等效代码是什么，以及必须使用哪些类似的安全预防措施来防止 SQL 注入.

I'd like to know what is the equivalent code to do such a query in classic ASP with VBScript and what similar security precautions must be used to guard against SQL injection.

推荐答案

有一些 ADODB 对象基本上做同样的事情.ADODB.Command 对象相当于 SqlCommand.从那里开始，它基本上与 .NET 中的操作相同.

There are ADODB Objects which do basically the same thing. ADODB.Command object is the equivalent to SqlCommand. From there it is basically doing the same as in .NET.

set cmd = Server.CreateOject("ADODB.Command")
cmd.CommandText = "select From Table where ID = @id")
set param = cmd.CreateParameter("@id", adInteger, adInput,0,0)

我经常使用 w3schools 寻求有关 ADO 对象的帮助.

I frequently use w3schools for help about ADO objects.

这篇关于如何在经典 ASP 中运行参数化 SQL 查询?它安全吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！