问题
I'm about to have to deal with some SQL code in classic ASP VBScript.
I have two questions.
First, in .net, I'm used to using the System.Data.SqlClient namespace objects to perform queries. For example:
Dim conn as New SqlConnection("Data Source=MyServer;uid=myUid;pwd=myPwd;Initial Catalog=myDataBase;"
Dim cmd as New SqlCommand("Select fname From myTable where uid=@uid;", conn)
cmd.Parameters.add(New SqlParameter("@uid",100323)
conn.open()
Response.Write(cmd.ExecuteScalar())
conn.Close()
I've been told that using a parameterized query as such makes my query secure from SQL injection attacks.
I'd like to know what is the equivalent code to do such a query in classic ASP with VBScript and what similar security precautions must be used to guard against SQL injection.
回答1:
There are ADODB Objects which do basically the same thing. ADODB.Command object is the equivalent to SqlCommand. From there it is basically doing the same as in .NET.
set cmd = Server.CreateOject("ADODB.Command")
cmd.CommandText = "select From Table where ID = @id")
set param = cmd.CreateParameter("@id", adInteger, adInput,0,0)
I frequently use w3schools for help about ADO objects.
来源:https://stackoverflow.com/questions/3579687/how-do-i-run-a-parameterized-sql-query-in-classic-asp-and-is-it-secure