MySQL的/经典的ASP - 参数化查询 [英] MySQL / Classic ASP - Parameterized Queries
问题描述
在一个绝对的紧急情况下,我想通过我的网站,并添加参数化查询。我是一个新手,刚刚才了解他们。
In an absolute emergency, I am trying to go through my website and add parameterized queries. I'm a newbie and have only just learnt about them.
我的问题是,我只知道一个很小的有关连接类型和所有的我正在使用连接的另一个方法,这是混淆了我看到的例子。我并不特别想改变我连接到我的数据库的方式,因为它在许多网页,我只是想更新我的疑问是更安全的。
My problem is, I only know a very little about connection types and all of the examples I'm seeing are using another methods of connection, which is confusing me. I don't particularly want to change the way I connect to my DB, as it's on lots of pages, I just want to update my queries to be safer.
这是怎么我一直连接到我的数据库:
This is how I have been connecting to my DB:
Set connContent = Server.CreateObject("ADODB.Connection")
connContent.ConnectionString = "...blah...blah...blah..."
connContent.Open
这是SQL位与参数:
and this is the SQL bit with parameters:
username = Trim(Request("username"))
connContent.Prepared = True
Const ad_nVarChar = 202
Const ad_ParamInput = 1
SQL = " SELECT * FROM users WHERE (username=?) ; "
Set newParameter = connContent.CreateParameter("@username", ad_nVarChar, adParamInput, 20, username)
connContent.Parameters.Append newParameter
Set rs = connContent.Execute(SQL)
If NOT rs.EOF Then
' Do something...
End If
rs.Close
这显然不工作,但我需要知道我是否能真正实现这一点使用我还是我失去了一些东西完全是从的工作?
It's obviously not working but I need to know if I can actually achieve this using the connection I have or am I missing something altogether that's stopping it from working?
我出去,花随后两天调试的东西我不熟悉之前,我想知道我至少在正确的轨道......
Before I go forth and spend the next 2 days debugging something I'm unfamiliar with, I would like to know I'm at least on the right track...
推荐答案
在你的第二个片段中,code是正确的,但应适用新的 ADODB.Command 对象,而不是在连接对象:
The code in your second snippet is correct, but should be applied to a new ADODB.Command object, not to the Connection object:
username = Trim(Request("username"))
'-----Added this-----
Dim cmdContent
Set cmdContent = Server.CreateObject("ADODB.Command")
' Use this line to associate the Command with your previously opened connection
Set cmdContent.ActiveConnection = connContent
'--------------------
cmdContent.Prepared = True
Const ad_nVarChar = 202
Const ad_ParamInput = 1
SQL = " SELECT * FROM users WHERE (username=?) ; "
Set newParameter = cmdContent.CreateParameter("@username", ad_nVarChar, ad_ParamInput, 20, username)
cmdContent.Parameters.Append newParameter
cmdContent.CommandText = SQL
Set rs = cmdContent.Execute
If NOT rs.EOF Then
' Do something...
End If
rs.Close
顺便说一句,有一个与拼写错字 adParamInput 而不是 ad_ParamInput (在我的例子纠正)。
By the way, there was a typo with the spelling of adParamInput instead of ad_ParamInput (corrected in my example).
这篇关于MySQL的/经典的ASP - 参数化查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
