有人可以告诉我这个声明有什么问题吗? [英] Can someone please tell me what is wrong with this statement?
问题描述
我正在使用它在我的表格中插入一些东西,它一直给我这个错误:
<上一页>Microsoft VBScript 编译错误800a03ee"预期的 ')'/thanks.asp,第 63 行Set rstSimple = cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode) VALUES ('"Request.QueryString("payer_email") & "', '" & Request.QueryString("payer_email") &"', '" & Request.QueryString("first_name") & "', '" & Request.QueryString("last_name") & "', '" & Request.QueryString("hash")"'))---------------------------------------------------------------------------------------------------------------------^这是我正在使用的代码:
Set rstSimple = cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode) VALUES ('"Request.QueryString("payer_email") & "', '" & Request.QueryString("payer_email") & "', '" & Request.QueryString("first_name") & "', '" & Request.QueryString("last_name") & "', '" &Request.QueryString("hash")"'))有人可以帮帮我吗?
谢谢
我建议将你的代码分解如下,这样它就变得可读易懂了:
Dim execSqlexecSql = "插入 SALT(电子邮件、用户名、名字、姓氏、激活码)"execSql = execSql &" 值 ('"execSql = execSql &Request.QueryString("payer_email")execSql = execSql &','"execSql = execSql &Request.QueryString("payer_email")execSql = execSql &','"execSql = execSql &Request.QueryString("first_name")execSql = execSql &','"execSql = execSql &Request.QueryString("last_name")execSql = execSql &','"execSql = execSql &Request.QueryString("hash")execSql = execSql &"')"设置 rstSimple = cnnSimple.Execute(execSql)在键入时,我删除了您的字符串的引号错误.现在,如果您收到新错误,它们在哪里变得更加明显.此外,代码的着色使其易于阅读并易于发现错误(取决于您使用的编辑器).
<小时>编辑 SQL 注入和安全性
正如其他人已经提到的,您的代码极易受到 SQL 注入攻击.即使没有攻击(即删除您的数据库)的意思,如果某人被命名为 d'Amour(法语)或 in 't Huys(荷兰语),它也会失败,使您的页面崩溃.为了避免这种情况,不要试图过滤你的代码,而是使用 SQL 命令和参数重写它.很简单,你的代码就变成了这样:
设置 dbCommand = Server.CreateObject("ADODB.Command")设置 dbCommand.ActiveConnection = cnnSimpledbCommand.CommandType = adCmdTextdbCommand.CommandText = _插入 SALT(电子邮件、用户名、名字、姓氏、激活码)" + _值(@email、@user、@firstname、@lastname、@code)"使用 dbCommand.Parameters.Add("email", adVarChar, adParamInput, , Request.QueryString("payer_email")).Add("user", adVarChar, adParamInput, , Request.QueryString("payer_email")).Add("firstname", adVarChar, adParamInput, , Request.QueryString("first_name")).Add("lastname", adVarChar, adParamInput, , Request.QueryString("last_name")).Add("code", adVarChar, adParamInput, , Request.QueryString("hash"))结束于设置 rstSimple = dbCommand.Execute()注意:确保下载并包含 ADOVBS.INC 这样您就不必将常量 adVarChar 和 adParamInput 等替换为对应的数字.
有关详细信息,请参阅 此因此,Jose Basilio 回答了 Google 关于SQL Injection ASP"或SQL Prepared Statement Classic ASP"的问题,它应该会找到一些热门.
I am using this to insert a few things into my table and it keeps giving me this error:
Microsoft VBScript compilation error '800a03ee'
Expected ')'
/thanks.asp, line 63
Set rstSimple = cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode) VALUES ('"Request.QueryString("payer_email") & "', '" & Request.QueryString("payer_email") & "', '" & Request.QueryString("first_name") & "', '" & Request.QueryString("last_name") & "', '" & Request.QueryString("hash")"'))
---------------------------------------------------------------------------------------------------------------------^
This is the code I am using:
Set rstSimple = cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode) VALUES ('"Request.QueryString("payer_email") & "', '" & Request.QueryString("payer_email") & "', '" & Request.QueryString("first_name") & "', '" & Request.QueryString("last_name") & "', '" & Request.QueryString("hash")"'))
Can someone please help me?
Thank you
I'd suggest breaking up your code as follows, so it becomes readable and understandable:
Dim execSql
execSql = "insert into SALT (Email, Username, FirstName, LastName, ActivationCode)"
execSql = execSql & " VALUES ('"
execSql = execSql & Request.QueryString("payer_email")
execSql = execSql & "', '"
execSql = execSql & Request.QueryString("payer_email")
execSql = execSql & "', '"
execSql = execSql & Request.QueryString("first_name")
execSql = execSql & "', '"
execSql = execSql & Request.QueryString("last_name")
execSql = execSql & "', '"
execSql = execSql & Request.QueryString("hash")
execSql = execSql & "')"
Set rstSimple = cnnSimple.Execute(execSql)
while typing, I removed the quote-errors of your string. Now it becomes more apparent where they are if you receive a new error. Also, the coloring of the code makes it readable and easy to spot the error (depening on what editor you use).
Edit on SQL Injection and security
As someone else already mentioned, your code is highly susceptible to SQL injection attacks. Even if no attack (i.e., to drop your database) is meant, it will fail if someone is named d'Amour (French) or in 't Huys (Dutch), crashing your page. To circumvent this, don't try to filter your code, but rewrite it using SQL Command and Parameters. It's easy, your code simply becomes this:
Set dbCommand = Server.CreateObject("ADODB.Command")
Set dbCommand.ActiveConnection = cnnSimple
dbCommand.CommandType = adCmdText
dbCommand.CommandText = _
"INSERT INTO SALT (Email, Username, FirstName, LastName, ActivationCode) " + _
"VALUES (@email, @user, @firstname, @lastname, @code)"
With dbCommand.Parameters
.Add("email", adVarChar, adParamInput, , Request.QueryString("payer_email"))
.Add("user", adVarChar, adParamInput, , Request.QueryString("payer_email"))
.Add("firstname", adVarChar, adParamInput, , Request.QueryString("first_name"))
.Add("lastname", adVarChar, adParamInput, , Request.QueryString("last_name"))
.Add("code", adVarChar, adParamInput, , Request.QueryString("hash"))
End With
Set rstSimple = dbCommand.Execute()
Note: make sure to download and include ADOVBS.INC so you don't have to replace the constants adVarChar and adParamInput and such with their numeric equivalents.
For more info see this SO answer by Jose Basilio, Google on "SQL Injection ASP" or "SQL Prepared Statement Classic ASP", it should find you some hits.
这篇关于有人可以告诉我这个声明有什么问题吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
