1. 技术文章
  2. Passing SQL variable to ASP

Passing SQL variable to ASP

我是研究僧i 提交于 2019-12-20 06:31:30

问题


Just a bit of a syntax problem here. I'm using SQL and ASP and have this code thus far:

set rs=Server.CreateObject("ADODB.recordset")
rs.Open "Select * from Questions", conn

sql="INSERT INTO Questions(QuestionText, QuestionType)"
sql=sql & " VALUES "
sql=sql & "('" & qtext & "',"
sql=sql & "'" & "checkbox" & "');" 
sql=sql & "DECLARE @testID int;"
sql=sql & "SET @testID = @@identity;"

on error resume next
conn.Execute sql,recaffected
if err<>0 then
    Response.Write("An Error Has Occured")
else

end if

How would I pass the SQL variable @testID to ASP so that it could be written within the response.write

Example:

Dim, ASPID
ASPID = @testID
Response.write(ASPID)

(obviously this is wrong) Could anyone tell me how to do this? Sorry if this is a bit too simple for some people :P


回答1:


Try this;

' What is this for?
'set rs=Server.CreateObject("ADODB.recordset")
'rs.Open "Select * from Questions", conn

Dim cmd, rs, sql, new_id, yourconnstring

sql = ""
sql = sql & "INSERT INTO Questions(QuestionText, QuestionType) VALUES (?, ?);" & vbCrLf
sql = sql & "SELECT SCOPE_IDENTITY();"

Set cmd = Server.CreateObject("ADODB.Command")
With cmd
  .ActiveConnection = yourconnstring 'No need for separate connection object
  .CommandType = adCmdText
  .CommandText = sql
  .Parameters.Append(.CreateParameter("@questiontext", adVarWChar, adParamInput, 255)
  .Parameters.Append(.CreateParameter("@questiontype", adVarWChar, adParamInput, 255)
  Set rs = .Execute(, Array(qtext, "checkbox"))
  If Not rs.EOF Then new_id = rs(0)
  Call rs.Close()
  Set rs = Nothing
End With
Set cmd = Nothing

If Len(new_id) < 1 Then
  Call Response.Write("An Error Has Occured")
Else
  Call Response.Write("ID is " & new_id)
End If

Not tested but this is how I tend to do this without having to worry about handling apostrophes and malicious code.




回答2:


Alternative without the use of a command object

Set rs=Server.CreateObject("ADODB.recordset")
rs.Open "Select * from Questions", conn
...
rs.Close
sql="INSERT INTO Questions(QuestionText, QuestionType)" & _
    " VALUES " & _
    "('" & qtext & "'," & _
    "'" & "checkbox" & "');" & _
    "SELECT SCOPE_IDENTITY() AS testid;"

On Error Resume Next
rs.Open sql, conn
recaffected = rs("testid")
rs.Close : Set rs = Nothing
If err.Number <> 0 Then
   Response.Write("An Error Has Occured")
Else
End If
On Error Goto 0

That you don't pass unchecked content from user inputs via "qtext" is clear Just a 

Replace(qtext,"'","''")

might not be enough. Cleaner would be the use of a function like this:

Function SQLScrub(ByVal val)
   dim HostileAttemptString(5)
       HostileAttemptString(0) = "EXEC(@"
       HostileAttemptString(1) = "exec(@" 
       HostileAttemptString(2) = "and%201=" 
       HostileAttemptString(3) = "and%20char(" 
       HostileAttemptString(4) = "exec%28@" 
       HostileAttemptString(5) = "EXEC%28@"

   dim str,rtnVal
   rtnVal = val
   rtnVal = Replace(val,"'","''")

   For Each str in HostileAttemptString
    rtnVal = Replace(rtnVal,str,"")
   Next

   SQLScrub = rtnVal 
end function

Syntax:

qtext = SQLScrub(original_userinput)


来源:https://stackoverflow.com/questions/21628939/passing-sql-variable-to-asp

标签
sql
variables
syntax
asp-classic
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!