我创建了一个存储过程,在sql server management studio中执行时可以查找,但是当我从网页上调用它时,实际上尝试使用它不起作用的表单。我认为我忽略了某些事情或者在思考某些事情。
SQL:
ALTER PROCEDURE [dbo].[ASSET_insert]
@iproduct varchar(55),
@imanufact varchar (55),
@itype varchar (30),
@ipart_num varchar(50),
@iversion varchar(50),
@iprice float,
@iwarranty varchar(30),
@isupport varchar(12),
@imaintenanc varchar(30),
@icontact varchar(30),
@icomments text,
@inextproduct_id int,
@iVENDOR varchar(50)
AS
BEGIN
SET NOCOUNT ON
set @inextproduct_id =(select top 1 nextidvalue from TI_IdGenerator where TableName='PRODUCT.PRODUCT_ID')
set @inextproduct_id = @inextproduct_id + 1
update TI_IdGenerator set NextIdValue = @inextproduct_id where TableName='PRODUCT.PRODUCT_ID'
-- ADD the Product type from ProdType - allows us to get the product type and connect to product. // works but may need to connect to AssetTup
--declare @itype varchar (30)
select @itype=p.AssetType from IN_AssetType p where p.AssetTypeId=@itype
-- Get some of the info we need // Getting the information form the AssetType
select @itype = a.AssetType from IN_AssetType a where a.AssetTypeId=@itype
-- Get more.// Get Vendor Information - allows us to get create drop-down box
declare @iVENDOR varchar(50)
select @iVENDOR=v.COMPANY from VENDOR v where v.ID=@iVENDOR
--INSERT into the web inventory form iTemplates into the PRODUCT
INSERT INTO PRODUCT (PRODUCT_ID,PRODUCT,MANUFACT,TYPE,PART_NUM,VERSION,VENDOR,PRICE,WARRANTY,SUPPORT,MAINTENANC,CONTACT,COMMENTS)
VALUES(@inextproduct_id,@iPRODUCT,@iMANUFACT,@itype,@iPART_NUM,@iVERSION,@iVENDOR,@iPRICE,@iWARRANTY,@iSUPPORT,@iMAINTENANC,@iCONTACT,@iCOMMENTS)
Return @inextproduct_id
END
用于调用存储过程的代码
newproduct_name=Request.Form("iproduct")
newmanufacture_name=Request.Form("imanufact")
newproudct_partnum=Request.Form("ipart_num")
newproduct_version=Request.Form("iversion")
newproduct_price=Request.Form("iprice")
newproudct_warranty=Request.Form("iwarranty")
newproduct_support= Request.Form("isupport")
newproduct_maintenanc= Request.Form("imaintenanc")
newproduct_contact= Request.Form("icontact")
newproduct_comments= Request.Form("icomments ")
if request.form("submit")="addnewproduct " then 'Add product to the Trackit Database into the PRODUCT
sqltext="EXEC Asset_insert "
sqltext=sqltext & cstr(inextproduct_id) & ","
sqltext=sqltext & cstr(product_id) & ","
sqltext=sqltext & cstr(vendor_id) & ","
sqltext=sqltext & cstr(assetTypeId) & ","
sqltext=sqltext & "'" & newproduct_name & "'" & ","
sqltext=sqltext & "'" & newmanufacture_name & "'" & ","
sqltext=sqltext & "'" & newproudct_partnum & "'" & ","
sqltext=sqltext & "'" & newproduct_version & "'" & ","
sqltext=sqltext & "'" & newproduct_price & "'" & ","
sqltext=sqltext & "'" & newproudct_warranty & "'" & ","
sqltext=sqltext & "'" & newproduct_support & "'" & ","
sqltext=sqltext & "'" & newproduct_MAINTENANC & "'" & ","
sqltext=sqltext & "'" & newproduct_contact & "'" & ","
sqltext=sqltext & "'" & newproduct_comments & "'"
'response.write("<br>" & sqltext)
set rsTrack=connTrack.Execute(sqlText)
end if
HTML代码正在使用的HTML代码如下
<body onLoad="self.focus();document.form2.product.focus();" >
<FORM METHOD="POST" ACTION="" id="form2" name="form2" target="_self">
<table title="Add New Product " bgcolor="DarkTurquoise">
<thead>
<tr>
<th>
Product
</th>
<th>
Manufacture
</th>
<th>
Select Type
</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<input tabindex="3" type="text" name="iproduct" id=iproduct />
</td>
<td>
<input tabindex="4" type="text" name="imanufact"id=imanufact />
</td>
<td>
<%=ASSETNAME%>
</td>
<thead>
<tr>
<th>
Part Number
</th>
<th>
Version
</th>
<th>
Vendor
</th>
</tr>
</thead>
<td>
<input tabindex="5" type="text" name="ipart_num" id=ipart_num />
</td>
<td>
<input tabindex="6" type="text" name="iversion" id=iversion />
</td>
<td>
<%=displayown%>
</td>
<thead>
<tr>
<th>
Price
</th>
<th>
Support #
</th>
<th>
Maintenance
</th>
</tr>
</thead>
<td>
<input tabindex="7" type="text" name="iprice" id=iprice/>
</td>
<td>
<input tabindex="8" type="text" name="isupport" id=isupport/>
</td>
<td>
<input tabindex="9" type="text" name="imaintenanc" id=imaintenanc/>
</td>
</tr>
</tbody>
<thead>
<tr>
<th>
Warranty:
</th>
</tr>
</thead>
<td>
<input tabindex="10" type="text" name="iwarranty" id=iwarranty onclick="JACS.show(document.getElementById('iwarranty'),event);" value="
<%=iwarranty%>
" >
</td>
<tr>
<tr>
<th>
Contact (Telephone Number):
</th>
</tr>
<td>
<input tabindex="11" type="text" name="icontact" id=icontact />
</td>
<br />
<tr>
<th>
Comments:
</th>
</tr>
<td>
<input tabindex="12" type="text" name="icomments" id=icomments />
</td>
</tr>
<td>
<input TYPE="submit" NAME="addnewproduct" VALUE="Add Product" ID=addnewproduct />
<br />
</td>
<br />
<td>
<input type= button onclick='history.go(0)' name="refresh" value="Refresh" />
<br />
</td>
</table>
</FORM>
答案 0 :(得分:0)
问题是您要检查
if request.form("submit") = "addnewproduct " then
您应该检查(没有空格)
if request.form("submit") = "addnewproduct" then
但是,您的代码非常容易受到错误和SQL注入的攻击。您至少应该做
1-在查询中使用ID之前先验证ID ARE整数:
if not isnumeric(inextproduct_id) then inextproduct_id = 0
sqltext = sqltext & cstr(inextproduct_id) & ","
2-用双引号括住您的字符串变量:
sqltext = sqltext & "'" & replace(newmanufacture_name, "'", "''") & "'" & ","