有人可以做出这样一个查询？ [英] Can someone make this a single query?

问题描述

所以，我只是在寻找如何做一个INSERT INTO查询，发现这一点：

So I was just searching how to do an "INSERT INTO" query and found this:

    sql="INSERT INTO Customers (ID,firstName,"
    sql=sql & "lastName)"
    sql=sql & " VALUES "
    sql=sql & "('" & Request.Form("id") & "',"
    sql=sql & "'" & Request.Form("firstname") & "',"
    sql=sql & "'" & Request.Form("lastname") & "')"

我知道它的工作原理，但我想使它成为一个单一的查询，而无需所有的SQL = SQL的

I know it works but I want to make it a single query without all the sql=sql's

推荐答案

您采取了快速黑客的路线为通过做rhis在您的意见中指出：

You took the route of a quick hack as stated in your comments by doing rhis:

sql="INSERT INTO Customers (ID,firstName,lastName) VALUES ('" & Request.Form("id") & "','" & Request.Form("fistname") & "','" & Request.Form("lastname") & "')" 

让我指出，以prevent几个问题​​（SQL注入是其中之一），你可以利用使用paramterized查询的坚持。结果
我假设你的SQL语句后有一个ADO命令的地方。如果您使用命令参数从网站上查询发送参数安全得多。

Let me persist in stating that to prevent several issues (sql injection being one of them) you could leverage the use of paramterized queries.
I assume you have an ADO command somewhere after your sql statement. It is much safer if you use command parameters to send parameters from the website to the query.

command.CommandText = "INSERT INTO Customers (ID,firstName,lastName) VALUES (?,?,?)"

Set param = command.CreateParameter ("id", adInteger, adParamInput)
param.value = Request.Form("id") 
command.Parameters.Append param 

Set param2 = command.CreateParameter ("firstname", adVarWChar, adParamInput, 50)
param2.value = Request.Form("firstname") 
command.Parameters.Append param2 

Set param3 = command.CreateParameter ("lastname", adVarWChar, adParamInput, 50)
param3.value = Request.Form("lastname") 
command.Parameters.Append param3 

command.Execute

看一看 Command对象参数了解背景。

这篇关于有人可以做出这样一个查询？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！