我正在尝试学习如何避免SQL注入,并使用VBA通过VB中的ADO连接到mysql数据库。
我遇到的问题是该行
Set rs = cmd.Execute
我收到以下错误,我在两天内无法确定:"没有给出一个或多个必需参数的值"。
当然,在打印参数字符串时,它会返回:(我注意到params的区别......不知道为什么会发生这种情况)
INSERT INTO prm1=? VALUES prm2=?, prm3=?, prm4=?, prm5=?, prm6=?, prm7=?, prm8=?, prm9=?, prm10=?, prm11=?, prm12=?, prm13=?;
这是我用来澄清的代码:
Function addToServer(file As String, server As Integer, lastRow As Integer)
Sheets("usage").Select
Dim str As String
Dim i As Integer
Dim conn As ADODB.Connection
Set conn = DBConnection
Dim rs As ADODB.Recordset
Set rs = New ADODB.Recordset
Dim cmd As ADODB.Command
Dim prm2 As ADODB.Parameter
Dim prm3 As ADODB.Parameter
Dim prm4 As ADODB.Parameter
Dim prm5 As ADODB.Parameter
Dim prm6 As ADODB.Parameter
Dim prm7 As ADODB.Parameter
Dim prm8 As ADODB.Parameter
Dim prm10 As ADODB.Parameter
Dim prm11 As ADODB.Parameter
Dim prm12 As ADODB.Parameter
Dim prm13 As ADODB.Parameter
Dim prm14 As ADODB.Parameter
Dim prm15 As ADODB.Parameter
Set cmd = New ADODB.Command
cmd.ActiveConnection = conn
With cmd
If server <> 0 Then
.CommandText = "INSERT INTO NLVMerlinResults (Year, Month, Day, Lab, Station, IP, thisWeek, Week1, Week2, Week3, Week4, Week5, WeeksInMonth, SumOverWeeks) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);"
Else
.CommandText = "INSERT INTO STMerlinResults (Year, Month, Day, Lab, Station, IP, thisWeek, Week1, Week2, Week3, Week4, Week5, WeeksInMonth, SumOverWeeks) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) ;"
End If
cmd.CommandType = adCmdText
Set prm2 = .CreateParameter(Name:="year", Type:=adInteger, size:=4)
.Parameters.Append prm2
Set prm3 = .CreateParameter(Name:="month", Type:=adSmallInt, size:=2)
.Parameters.Append prm3
Set prm4 = .CreateParameter(Name:="day", Type:=adSmallInt, size:=2)
.Parameters.Append prm4
Set prm5 = .CreateParameter(Name:="lab", Type:=adVarChar, size:=30)
.Parameters.Append prm5
Set prm6 = .CreateParameter(Name:="cell", Type:=adVarChar, size:=30)
.Parameters.Append prm6
Set prm7 = .CreateParameter(Name:="ip", Type:=adVarChar, size:=20)
.Parameters.Append prm7
Set prm8 = .CreateParameter(Name:="week", Type:=adSmallInt, size:=2)
.Parameters.Append prm8
Set prm9 = .CreateParameter(Name:="1", Type:=adVarChar, size:=10)
.Parameters.Append prm9
Set prm10 = .CreateParameter(Name:="2", Type:=adVarChar, size:=10)
.Parameters.Append prm10
Set prm11 = .CreateParameter(Name:="3", Type:=adVarChar, size:=10)
.Parameters.Append prm11
Set prm12 = .CreateParameter(Name:="4", Type:=adVarChar, size:=10)
.Parameters.Append prm12
Set prm13 = .CreateParameter(Name:="5", Type:=adVarChar, size:=10)
.Parameters.Append prm13
Set prm14 = .CreateParameter(Name:="weeksinmonth", Type:=adTinyInt, size:=1)
.Parameters.Append prm14
Set prm15 = .CreateParameter(Name:="total", Type:=adVarChar, size:=10)
.Parameters.Append prm15
Dim j As Integer
For i = 1 To lastRow
For j = 1 To 15
If (j = 1) Then
prm2.value = CLng(cells(i, j))
ElseIf (j = 2) Then
prm3.value = CInt(cells(i, j))
ElseIf (j = 3) Then
prm4.value = CInt(cells(i, j))
ElseIf (j = 4) Then
prm5.value = CStr(cells(i, j))
ElseIf (j = 5) Then
prm6.value = CStr(cells(i, j))
ElseIf (j = 6) Then
prm7.value = CStr(cells(i, j))
ElseIf (j = 7) Then
prm8.value = CInt(cells(i, j))
ElseIf (j = 8) Then
If IsEmpty((cells(i, j))) Then
prm9.value = vbNullString
Else
prm9.value = CStr(cells(i, j))
End If
ElseIf (j = 9) Then
If IsEmpty((cells(i, j))) Then
prm10.value = vbNullString
Else
prm10.value = CStr(cells(i, j))
End If
ElseIf (j = 10) Then
If IsEmpty((cells(i, j))) Then
prm11.value = vbNullString
Else
prm11.value = CStr(cells(i, j))
End If
ElseIf (j = 11) Then
If IsEmpty((cells(i, j))) Then
prm12.value = vbNullString
Else
prm12.value = CStr(cells(i, j))
End If
ElseIf (j = 12) Then
If IsEmpty((cells(i, j))) Then
prm13.value = vbNullString
Else
prm13.value = CStr(cells(i, j))
End If
ElseIf (j = 13) Then
prm14.value = CByte(cells(i, j))
ElseIf (j = 14) Then
prm15.value = CStr(cells(i, j))
End If
Next j
.Execute
Next i
End With
Set cmd = Nothing
End Function
我上面使用了两种不同的方法,但两种方法似乎都没有。有人可以就我能做些什么来提供帮助吗?我尝试从.CreateParameter函数中取出params(http://www.w3schools.com/asp/met_comm_createparameter.asp表示它们是可选的),但这也没有用。
最好,
阿什利
编辑::我在上面添加了编辑。我尝试了一个测试插件,但它很成功。
INSERT INTO `NLVMerlinResults` (Year, Month, Day, Lab, Station, IP, thisWeek, Week1, Week2, Week3, Week4, Week5, WeeksInMonth, SumOverWeeks) VALUES ("1", "2", "3", "4", "5", 1, 5, "5", "5", "6", 6, "5", "4", "5")
虽然奇怪的是它允许我在DB只接受varchar时输入整数和字符串...
答案 0 :(得分:1)
删除“qualifer =?”来自SQL语句。 ODBC参数使用单个?
指定,并且必须按照它们在语句中出现的顺序添加:
INSERT INTO `NLVMerlinResults` (Year, Month, Day, Lab, Station, IP,
thisWeek, Week1, Week2, Week3, Week4, Week5, WeeksInMonth, SumOverWeeks)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
OP EDIT:问题陈述中提供的功能代码。