问题:我有一个搜索,它工作正常,直到用户进行没有结果的查询。当那个 发生下拉(从sql获取其选项,停止工作)。我得到以下内容:
<option label=' <font face="Arial" size=2>
<p>ADODB.Field</font> <font face="Arial" size=2>error '80020009'</font>
<p>
<font face="Arial" size=2>Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.</font>
<p>
<font face="Arial" size=2>/junk/dbinstant.htm</font><font face="Arial" size=2>, line 0</font>
当发生这种情况时,似乎会切断其下的所有代码。
我认为负责的代码是:
<%if request.querystring("abn") = "all" then
response.write("")
else
response.write("<option label='")%><%=lcon("legal")%><%response.write("' value='")%><%=(src_abn)%><%response.write("' selected></option>'")
end if %>
整页:
<%@ LANGUAGE="VBSCRIPT" %>
<%
pagetitle="Contractor Details"
%>
<!--#INCLUDE VIRTUAL="/_lib/include/header.htm"-->
<!--#INCLUDE VIRTUAL="/_lib/include/menu.htm"-->
<script>
$(document).ready(function() {
$("#abn,#cat").change(function () {
this.form.submit();
})
});
</script>
<div class="twoColumnRow">
<div class="twoColumnContent">
<p class="breadCrm"><a href="/index.htm">Home</a> <span>></span> <a href="/tools/index.htm">Tools of the Trade</a> <span>></span> <a href="/tools/finance/index.htm">Finance and Purchasing</a><span>></span> <a href="/tools/finance/procurement/index.htm">Procurement and Contracts information</a></p>
<div class="contentPad">
<!-- Start of main content -->
<p class="imageRight"> </p>
<h1><%=pagetitle%></h1>
<%
Dim connectString, connect, conDB, sconDB, lDB, con, scon, lcon, src_abn, src_cat
connectString = "Driver={Microsoft Text Driver (*.txt; *.csv)}; DBQ=" & Server.MapPath("data")
src_abn = Request.QueryString("abn")
src_cat = Request.QueryString("cat")
set connect = Server.CreateObject("ADODB.connection")
connect.open connectString
if src_abn = "all" and src_cat = "all" then
conDB = "SELECT * FROM cont.csv"
lDB = "SELECT * FROM cont.csv"
elseif src_abn = "all" then
conDB = "SELECT * FROM cont.csv WHERE " & src_cat & " = 'Yes'"
lDB = "SELECT * FROM cont.csv WHERE " & src_cat & " = 'Yes'"
elseif src_cat = "all" then
conDB = "SELECT * FROM cont.csv WHERE ucase(abn) LIKE ucase('%"+src_abn+"%')"
lDB = "SELECT * FROM cont.csv WHERE ucase(abn) LIKE ucase('%"+src_abn+"%')"
else
conDB = " SELECT * FROM cont.csv WHERE " & src_cat & " = 'Yes' AND ucase(abn) LIKE ucase('%"+src_abn+"%')"
lDB = " SELECT * FROM cont.csv WHERE " & src_cat & " = 'Yes' AND ucase(abn) LIKE ucase('%"+src_abn+"%')"
end if
sconDB = "SELECT * FROM cont.csv"
set con = connect.execute(conDB)
set scon = connect.execute(sconDB)
set lcon = connect.execute(lDB)
%>
<h2>Search results</h2><hr />
<% if not con.BOF then %>
<div style="margin-top:1em">
<form action="dbinstant.htm" method="get">
<p>Company name:1<br/>
<select id="abn" name="abn">
<option label="All companies" value="all" <%if request.querystring("abn") = "all" then response.write("selected") %>></option>
<%if request.querystring("abn") = "all" then
response.write("<option label='All companies' value='all' selected></option>")
else
response.write("<option label='")%><%=lcon("legal")%><%response.write("' value='")%><%=(src_abn)%><%response.write("' selected></option>'")
end if %>
<% while (NOT scon.EOF) %>
<option label="<%=scon("legal")%>" value="<%=scon("abn")%>" <%if request.querystring("abn") = "response.write(src_abn)" then
response.write("selected")
end if %>></option>
<%scon.MoveNext()
Wend %>
</select>
</p>
<p>Categories for Creative Design:<br/>
<select id="cat" name="cat">
<option class="group" label="All categories" value="all" <%if request.querystring("cat") = "all" then response.write("selected") %>></option>
<option class="group" label="Strategic brand, marketing and communications advice" value="a" <%if request.querystring("cat") = "a" then response.write("selected") %>></option>
<option class="group" label="Graphic design and layout" value="b" <%if request.querystring("cat") = "b" then response.write("selected") %>></option>
<option class="group" label="Forms design" value="c" <%if request.querystring("cat") = "c" then response.write("selected") %>></option>
<option class="group" label="Web design and development" value="d" <%if request.querystring("cat") = "d" then response.write("selected") %>></option>
<option class="group" label="Authoring services" value="e" <%if request.querystring("cat") = "e" then response.write("selected") %>></option>
<option class="group" label="Editorial services" value="f" <%if request.querystring("cat") = "f" then response.write("selected") %>></option>
<option class="group" label="Translation services" value="g" <%if request.querystring("cat") = "g" then response.write("selected") %>></option>
<option class="group" label="Photography and film services" value="h" <%if request.querystring("cat") = "h" then response.write("selected") %>></option>
<option class="group" label="Scanning and digitisation services" value="i" <%if request.querystring("cat") = "i" then response.write("selected") %>></option>
<option class="group" label="Multimedia editing services" value="j" <%if request.querystring("cat") = "j" then response.write("selected") %>></option>
</select>
</p>
<input type="submit" value="Search" />
</form>
<br /><hr />
<table style="font-size:.9em;" class="contentTable">
<tr>
<th>ABN:</th>
<th>Company Name:</td>
</tr>
<% con.Movefirst() %>
<% while (NOT con.EOF) %>
<tr>
<td width="120px"><%=con("abn")%></th>
<td><a href="dbcomp.htm?abn=<%=con("abn")%>&cat=all"><%=con("legal")%></a></td>
</tr>
<%
con.MoveNext()
Wend
%>
</table>
</div>
<% else %>
<% scon.Movefirst() %>
<form action="dbinstant.htm" method="get">
<p>Company name:2<br/>
<select id="abn" name="abn">
<option label="All companies" value="all" <%if request.querystring("abn") = "all" then response.write("selected") %>></option>
<%if request.querystring("abn") = "all" then
response.write("")
else
response.write("<option label='")%><%=lcon("legal")%><%response.write("' value='")%><%=(src_abn)%><%response.write("' selected></option>'")
end if %>
<% while (NOT scon.EOF) %>
<option label="<%=scon("legal")%>" value="<%=scon("abn")%>" <%if request.querystring("abn") = "response.write(src_abn)" then
response.write("selected")
end if %>></option>
<%scon.MoveNext()
Wend %>
</select>
</p>
<p>Categories for Creative Design:<br/>
<select id="cat" name="cat">
<option class="group" label="All categories" value="all" <%if request.querystring("cat") = "all" then response.write("selected") %>></option>
<option class="group" label="Strategic brand, marketing and communications advice" value="a" <%if request.querystring("cat") = "a" then response.write("selected") %>></option>
<option class="group" label="Graphic design and layout" value="b" <%if request.querystring("cat") = "b" then response.write("selected") %>></option>
<option class="group" label="Forms design" value="c" <%if request.querystring("cat") = "c" then response.write("selected") %>></option>
<option class="group" label="Web design and development" value="d" <%if request.querystring("cat") = "d" then response.write("selected") %>></option>
<option class="group" label="Authoring services" value="e" <%if request.querystring("cat") = "e" then response.write("selected") %>></option>
<option class="group" label="Editorial services" value="f" <%if request.querystring("cat") = "f" then response.write("selected") %>></option>
<option class="group" label="Translation services" value="g" <%if request.querystring("cat") = "g" then response.write("selected") %>></option>
<option class="group" label="Photography and film services" value="h" <%if request.querystring("cat") = "h" then response.write("selected") %>></option>
<option class="group" label="Scanning and digitisation services" value="i" <%if request.querystring("cat") = "i" then response.write("selected") %>></option>
<option class="group" label="Multimedia editing services" value="j" <%if request.querystring("cat") = "j" then response.write("selected") %>></option>
</select>
</p>
<input type="submit" value="Search" />
</form>
<br /><hr />
<p>No records match your query.</p>
<p><a href="dbtest.htm">Return to search page</a></p>
<%
end if
con.close
%>
<!-- End of main content -->
</div> <!-- end contentPad div -->
</div> <!-- end twocolumncontent div -->
<div class="twoColumnLinks">
<!--<div class="relatedLinks">
<h3>Related Links</h3>
<ul>
<li><a href="/index.htm">Related link 1</a></li>
</ul>
</div>--> <!-- end relatedlinks div -->
<!--#INCLUDE VIRTUAL="/_lib/include/quicklinks.htm"-->
<!--#INCLUDE VIRTUAL="/_lib/include/mylinks.htm"-->
</div> <!-- end twocolumnlinks div -->
</div> <!-- end twocolumnrow div -->
<!--#INCLUDE VIRTUAL="/_lib/include/footer.htm"-->
答案 0 :(得分:3)
尝试将con.BOF
更改为con.EOF
。
除此之外,您的代码中还存在严重的SQL注入漏洞。我希望你知道这一点: - )
例如,你想要改变这样的事情
conDB = "SELECT * FROM cont.csv WHERE ucase(abn) LIKE ucase('%"+src_abn+"%')"
进入那个
conDB = "SELECT * FROM cont.csv WHERE ucase(abn) LIKE ucase('%"+ Replace(src_abn, "'", "''") + "%')"
从这些开始: