MySQL / Classic ASP - Parameterized Queries(MySQL/经典 ASP - 参数化查询)
问题描述
在绝对紧急情况下,我正在尝试浏览我的网站并添加参数化查询.我是新手,刚刚了解它们.
In an absolute emergency, I am trying to go through my website and add parameterized queries. I'm a newbie and have only just learnt about them.
我的问题是,我对连接类型知之甚少,而且我看到的所有示例都使用另一种连接方法,这让我很困惑.我不是特别想改变我连接到数据库的方式,因为它在很多页面上,我只想更新我的查询以更安全.
My problem is, I only know a very little about connection types and all of the examples I'm seeing are using another methods of connection, which is confusing me. I don't particularly want to change the way I connect to my DB, as it's on lots of pages, I just want to update my queries to be safer.
这就是我连接数据库的方式:
This is how I have been connecting to my DB:
Set connContent = Server.CreateObject("ADODB.Connection")
connContent.ConnectionString = "...blah...blah...blah..."
connContent.Open
这是带有参数的 SQL 位:
and this is the SQL bit with parameters:
username = Trim(Request("username"))
connContent.Prepared = True
Const ad_nVarChar = 202
Const ad_ParamInput = 1
SQL = " SELECT * FROM users WHERE (username=?) ; "
Set newParameter = connContent.CreateParameter("@username", ad_nVarChar, adParamInput, 20, username)
connContent.Parameters.Append newParameter
Set rs = connContent.Execute(SQL)
If NOT rs.EOF Then
' Do something...
End If
rs.Close
这显然不起作用,但我需要知道我是否可以使用我拥有的连接来实现这一点,还是我完全错过了阻止它工作的东西?
It's obviously not working but I need to know if I can actually achieve this using the connection I have or am I missing something altogether that's stopping it from working?
在我开始用接下来的 2 天调试我不熟悉的东西之前,我想知道我至少在正确的轨道上......
Before I go forth and spend the next 2 days debugging something I'm unfamiliar with, I would like to know I'm at least on the right track...
推荐答案
第二个代码片段中的代码是正确的,但应该应用于新的 ADODB.Command
对象,而不是 连接
对象:
The code in your second snippet is correct, but should be applied to a new ADODB.Command
object, not to the Connection
object:
username = Trim(Request("username"))
'-----Added this-----
Dim cmdContent
Set cmdContent = Server.CreateObject("ADODB.Command")
' Use this line to associate the Command with your previously opened connection
Set cmdContent.ActiveConnection = connContent
'--------------------
cmdContent.Prepared = True
Const ad_nVarChar = 202
Const ad_ParamInput = 1
SQL = " SELECT * FROM users WHERE (username=?) ; "
Set newParameter = cmdContent.CreateParameter("@username", ad_nVarChar, ad_ParamInput, 20, username)
cmdContent.Parameters.Append newParameter
cmdContent.CommandText = SQL
Set rs = cmdContent.Execute
If NOT rs.EOF Then
' Do something...
End If
rs.Close
顺便说一句,adParamInput
的拼写有误,而不是 ad_ParamInput
(在我的示例中已更正).
By the way, there was a typo with the spelling of adParamInput
instead of ad_ParamInput
(corrected in my example).
这篇关于MySQL/经典 ASP - 参数化查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!
本文标题为:MySQL/经典 ASP - 参数化查询
- SQL 临时表问题 2022-01-01
- 如何使用 pip 安装 Python MySQLdb 模块? 2021-01-01
- 如何将 Byte[] 插入 SQL Server VARBINARY 列 2021-01-01
- 如何将 SonarQube 6.7 从 MySQL 迁移到 postgresql 2022-01-01
- 更改自动增量起始编号? 2021-01-01
- 使用 Oracle PL/SQL developer 生成测试数据 2021-01-01
- 在SQL中,如何为每个组选择前2行 2021-01-01
- 以一个值为轴心,但将一行上的数据按另一行分组? 2022-01-01
- 导入具有可变标题的 Excel 文件 2021-01-01
- 远程 mySQL 连接抛出“无法使用旧的不安全身份验证连接到 MySQL 4.1+"来自 XAMPP 的错误 2022-01-01