有人可以告诉我什么是错的这种说法? [英] Can someone please tell me what is wrong with this statement?
问题描述
我用这来插入一些东西放到我的桌子,它不断给我这个错误:
I am using this to insert a few things into my table and it keeps giving me this error:
Microsoft VBScript compilation error '800a03ee'
Expected ')'
/thanks.asp, line 63
Set rstSimple = cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode) VALUES ('"Request.QueryString("payer_email") & "', '" & Request.QueryString("payer_email") & "', '" & Request.QueryString("first_name") & "', '" & Request.QueryString("last_name") & "', '" & Request.QueryString("hash")"'))
---------------------------------------------------------------------------------------------------------------------^
这是code我使用的:
This is the code I am using:
Set rstSimple = cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode) VALUES ('"Request.QueryString("payer_email") & "', '" & Request.QueryString("payer_email") & "', '" & Request.QueryString("first_name") & "', '" & Request.QueryString("last_name") & "', '" & Request.QueryString("hash")"'))
有人能帮帮我吗?
Can someone please help me?
感谢您
推荐答案
我建议打破了你的code以下,因此它成为阅读和理解:
I'd suggest breaking up your code as follows, so it becomes readable and understandable:
Dim execSql
execSql = "insert into SALT (Email, Username, FirstName, LastName, ActivationCode)"
execSql = execSql & " VALUES ('"
execSql = execSql & Request.QueryString("payer_email")
execSql = execSql & "', '"
execSql = execSql & Request.QueryString("payer_email")
execSql = execSql & "', '"
execSql = execSql & Request.QueryString("first_name")
execSql = execSql & "', '"
execSql = execSql & Request.QueryString("last_name")
execSql = execSql & "', '"
execSql = execSql & Request.QueryString("hash")
execSql = execSql & "')"
Set rstSimple = cnnSimple.Execute(execSql)
在打字时,我删除了你的字符串的报价,误差。他们在哪里,如果你收到一个新的错误现在,它变得更明显。此外,code的着色使其可读和容易发现错误(depening您所使用的编辑器)。
while typing, I removed the quote-errors of your string. Now it becomes more apparent where they are if you receive a new error. Also, the coloring of the code makes it readable and easy to spot the error (depening on what editor you use).
至于其他人已经提到,您code很容易受到SQL注入攻击。即使没有发作(即放弃你的数据库)意味着,它将如果有人被命名为失败德爱(法语)或在' ŧHuys酒店(荷兰),系统崩溃页面。为了规避这一点,不要试图筛选code,但使用SQL命令和参数重写。这很容易,你的code简直变成这样:
As someone else already mentioned, your code is highly susceptible to SQL injection attacks. Even if no attack (i.e., to drop your database) is meant, it will fail if someone is named d'Amour (French) or in 't Huys (Dutch), crashing your page. To circumvent this, don't try to filter your code, but rewrite it using SQL Command and Parameters. It's easy, your code simply becomes this:
Set dbCommand = Server.CreateObject("ADODB.Command")
Set dbCommand.ActiveConnection = cnnSimple
dbCommand.CommandType = adCmdText
dbCommand.CommandText = _
"INSERT INTO SALT (Email, Username, FirstName, LastName, ActivationCode) " + _
"VALUES (@email, @user, @firstname, @lastname, @code)"
With dbCommand.Parameters
.Add("email", adVarChar, adParamInput, , Request.QueryString("payer_email"))
.Add("user", adVarChar, adParamInput, , Request.QueryString("payer_email"))
.Add("firstname", adVarChar, adParamInput, , Request.QueryString("first_name"))
.Add("lastname", adVarChar, adParamInput, , Request.QueryString("last_name"))
.Add("code", adVarChar, adParamInput, , Request.QueryString("hash"))
End With
Set rstSimple = dbCommand.Execute()
请注意:一定要下载,包括ADOVBS.INC 所以您不必更换常量 adVarChar 和 adParamInput 键,这样为它们的数字等价物。
Note: make sure to download and include ADOVBS.INC so you don't have to replace the constants adVarChar and adParamInput and such with their numeric equivalents.
有关更多信息请参见<一个href=\"http://stackoverflow.com/questions/770419/how-to-make-a-parametrized-sql-query-on-classic-asp/770439#770439\">this何塞·巴西利奥,谷歌的SQL注入ASP或SQL prepared声明经典ASPSO回答,就应该找你一些打击。
For more info see this SO answer by Jose Basilio, Google on "SQL Injection ASP" or "SQL Prepared Statement Classic ASP", it should find you some hits.
这篇关于有人可以告诉我什么是错的这种说法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
