我在我的代码中设置了一个MM_CustomerID会话,然后在页面的下方我需要将该会话的值插入表中。但每次我尝试这样做时都会出现一个无效的列名'varCustomerID'。
在页面顶部,我有这段代码;
<%
set rscustomerid = Server.CreateObject("ADODB.Recordset")
rscustomerid.ActiveConnection = CmdAddCustomer.ActiveConnection
rscustomerid.Source = "SELECT @@IDENTITY as MaxCustomersID FROM Customers"
rscustomerid.CursorLocation = 2
rscustomerid.LockType = 3
rscustomerid.Open()
Session("MM_CustomerID")=rscustomerid("MaxCustomersID")
Session("MM_UserAuthorization") = "5"
%>
然后再往下,我正在尝试将varCustomerID的变量设置为等于MM_CustomerID会话;
<%
varCustomerID = Session("MM_CustomerID")
%>
然后尝试将该变量varCustomerID的值插入Orders表中,如下所示;
<%
'Insert record into Orders recordset when form is submitted
'and store the unique OrderID
'Version Date: 09 August 2009
set CmdAddOrder = Server.CreateObject("ADODB.Command")
CmdAddOrder.ActiveConnection = MM_dbconn_STRING
CmdAddOrder.CommandText = "INSERT INTO Orders (OrderCustomer,OrderGrandTotal,OrderStatus) VALUES (varCustomerID,0.00,3)"
CmdAddOrder.CommandType = 1
CmdAddOrder.CommandTimeout = 0
CmdAddOrder.Prepared = true
CmdAddOrder.Execute()
%>
我想知道是否有人可以提供帮助?也许有一种更简单的方法就是只将会话值插入表中,而不是为它创建变量?
感谢。
答案 0 :(得分:3)
您需要将sql命令文本更改为:
“INSERT INTO Orders(OrderCustomer,OrderGrandTotal,OrderStatus)VALUES(”+ varCustomerID +“,0.00,3)”
但是你可能容易受到SQL注入......实际上你应该参数化这个查询:
答案 1 :(得分:0)
您需要将varCustomerID强制转换为查询的字符串。对保罗答案的轻微改变应该让你工作,但就像他说你需要小心注射攻击。
"INSERT INTO Orders (OrderCustomer,OrderGrandTotal,OrderStatus) VALUES (" & varCustomerID & ",0.00,3)"