ASP Classic在Paramaterized查询命名参数:必须声明标量变量 [英] ASP Classic Named Parameter in Paramaterized Query: Must declare the scalar variable

查看:381
本文介绍了ASP Classic在Paramaterized查询命名参数:必须声明标量变量的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我试着写ASP经典参数化查询,和它的开始觉得我打我的头撞墙。我得到了以下错误:


  

必须声明标量变量@something。


我发誓那是个招呼线做什么,但也许我失去了一些东西... 

 <%Explicit选项%GT;
<! - #包括文件=../通用/ ADOVBS.INC - >
<%    将Response.Buffer = FALSE    康涅狄格州暗淡,ConnectionString,则CMD,SQL,RS,PARM    的connectionString =供应商= SQLOLEDB.1;集成安全性= SSPI;数据源= \\ sqlex preSS;初始目录=东西
    康涅狄格州设置=的Server.CreateObject(adodb.connection)
    conn.Open(的connectionString)    设置CMD =的Server.CreateObject(adodb.command)
    设置cmd.ActiveConnection =康恩
    cmd.CommandType =为adCmdText
    cmd.CommandText =选择@something
    cmd.NamedParameters =真
    CMD。prepared = TRUE
    集PARM = cmd.CreateParameter(@东西,advarchar,adParamInput,255,你好)
    调用cmd.Parameters.append(PARM)
    集RS = cmd.Execute
    如果没有RS.EOF然后
    回复于RS(0)
    万一
%GT;


解决方案

下面是从preventing SQL注入攻击的MSDN库文章的一些示例code。我找不到原来的网址,但谷歌搜索标题关键字(preventing SQL注入的ASP)应该让你有足够快。希望这个真实世界的例子帮助。

  strCmd =选择标题,从书本上描述中AUTHOR_NAME =?
设置objCommand.ActiveConnection = objConn
objCommand.CommandText = strCmd
objCommand.CommandType =为adCmdText
设置参数1 = objCommand.CreateParameter(作家,adWChar,adParamInput,50)
param1.value = strAuthor
objCommand.Parameters.Append参数1
设置objRS = objCommand.Execute()

请参阅MSDN上的以下页面,接近底部,具体提到命名参数。

MSDN例如

I'm trying to write a parameterized query in ASP Classic, and it's starting to feel like i'm beating my head against a wall. I'm getting the following error:

Must declare the scalar variable "@something".

I would swear that is what the hello line does, but maybe i'm missing something...

<% OPTION EXPLICIT %>
<!-- #include file="../common/adovbs.inc" -->
<%

    Response.Buffer=false

    dim conn,connectionString,cmd,sql,rs,parm

    connectionString = "Provider=SQLOLEDB.1;Integrated Security=SSPI;Data Source=.\sqlexpress;Initial Catalog=stuff"
    set conn = server.CreateObject("adodb.connection")
    conn.Open(connectionString)

    set cmd = server.CreateObject("adodb.command")
    set cmd.ActiveConnection = conn
    cmd.CommandType = adCmdText
    cmd.CommandText = "select @something"
    cmd.NamedParameters = true
    cmd.Prepared = true
    set parm = cmd.CreateParameter("@something",advarchar,adParamInput,255,"Hello")
    call cmd.Parameters.append(parm)
    set rs = cmd.Execute
    if not rs.eof then
    	Response.Write rs(0)
    end if


%>

解决方案

Here's some sample code from an MSDN Library article on preventing SQL injection attacks. I cannot find the original URL, but googling the title keywords (Preventing SQL Injections in ASP) should get you there quick enough. Hope this real-world example helps.

strCmd = "select title, description from books where author_name = ?"
Set objCommand.ActiveConnection = objConn
objCommand.CommandText = strCmd
objCommand.CommandType = adCmdText
Set param1 = objCommand.CreateParameter ("author", adWChar, adParamInput, 50)
param1.value = strAuthor
objCommand.Parameters.Append param1
Set objRS = objCommand.Execute()

See the following page on MSDN, near the bottom, referring specifically to named parameters.

MSDN example

这篇关于ASP Classic在Paramaterized查询命名参数:必须声明标量变量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
ASP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆