经典Asp安全插入声明表到数据库

时间:2015-05-12 15:50:38

标签: sql-server vbscript asp-classic

我有一个在线表格,需要将数据输入MSSQL数据库。我试图创建一个安全的插入语句。使用以下代码,我收到此错误。

用于SQL Server的Microsoft OLE DB提供程序错误' 80040e5d' 参数名称无法识别。

<%@language="vbscript" codepage="65001" %>
<% option explicit %>

Dim Form_Name
Dim Form_Email
Form_Name= ProtectSQL(request.Form("Name"))
Form_Email= ProtectSQL(Request.Form("Email"))

Dim objConn
set objConn = Server.CreateObject("ADODB.Connection")

Dim strConn
strConn="provider=SQLOLEDB;Server=localhost;Database=dbname;Uid=username;Pwd=password;"

objConn.open strConn

Dim DateSubmitted
DateSubmitted=now()

Dim strSQL
strSQL = "INSERT INTO tablename(DateSubmitted, Name, Email) VALUES('" & DateSubmitted & "', ?, ?)"

Dim objCmd 
set objCmd = Server.Createobject("ADODB.Command")
objCmd.ActiveConnection = objConn 
objCmd.CommandText = strSQL 
objCmd.CommandType = adCmdText
objCmd.NamedParameters = true

Dim objParam1
Set objParam1 = objCmd.CreateParameter("Name", adVarChar, adParamInput, Len(Form_Name), Form_Name)
objCmd.Parameters.Append objParam1

Dim objparam2
Set objparam2 = objCmd.CreateParameter("Email", adVarChar, adParamInput, Len(Form_Email), Form_Email)
objCmd.Parameters.Append objparam2

objCmd.Execute, , adCmdText And adExecuteNoRecords

objConn.close
Set objConn = Nothing

我也试过

strSQL = "INSERT into tablename(DateSubmitted,Name,Email)values('" & DateSubmitted & "',@Name,@Email)"

objCmd.Parameters.Append objCmd.CreateParameter("@Name",adVarChar,adParamInput,100,Form_Name)

objCmd.Parameters.Append objCmd.CreateParameter("@Email",adVarChar,adParamInput,100,Form_Email)

有了这个我必须声明标量变量&#34; @ Name&#34;。

两条错误消息都引用了objCmd.Execute行

有没有更好的方法来执行insert语句?我不需要记录集。

2 个答案:

答案 0 :(得分:0)

中有 5 占位符 
Content-Disposition: inline;

但仅添加 2 参数。

答案 1 :(得分:0)

我使用类似以下代码的代码在经典的asp:

中执行参数化查询 
public sub sql_execute(sql, parameterArray)

    dim cnx
    Set cnx=CreateObject("ADODB.Connection")
    cnx.Open wfDataConnection           
    if isArray(parameterArray) then
        dim cmd, i
        Set cmd = CreateObject("ADODB.Command")
        With cmd    
            .CommandText = sql
            .CommandType = adCmdText
            .ActiveConnection = cnx 
            for each i in parameterArray
                .Parameters.Append .CreateParameter(i(0), i(1), i(2), i(3), i(4))
            next
        end with        
        cmd.execute rowsAffected, , adExecuteNoRecords
    else
        cnx.execute sql, rowsAffected, adExecuteNoRecords       
    end if
end sub

这样称呼它:

dim sql, parameterArray
sql = "INSERT INTO table (val1, val2) VALUES (?, ?)"
paramaterArray = Array(_
                     Array("@p1", adInteger, adParamInput, , val1)_
                    , Array("@p2", adVarChar, adParamInput, 255, val2)_
                 )

sql_execute sql, parameterArray

创建参数时,我对变量名称(@ p1,@ p2等)不太确定。你称之为变量似乎并不重要,但它们确实需要某种名称才能使它起作用。

相关问题
最新问题