为什么这个简单的经典ASP搜索查询不起作用?

时间:2013-10-09 03:49:23

标签: sql search asp-classic

我在经典的asp中进行了一个非常简单的搜索查询,它在数据库中查找与用户搜索查询“相似”的单词。

我的网页说我搜索“测试”时没有结果。但是我有一个标题为搜索的特定帖子,我可以在我的数据库中看到。

我不确定为什么这不起作用。

<% option explicit %>

<!DOCTYPE HTML>
<html>
<head>
  <link href="normalize.css" rel="stylesheet" type="text/css">
</head>
<body>
<!--#include file="header.asp"-->
<!--#include file="dbconn.asp"-->
<%
  dim stage, s, sql, info
  stage = request.querystring("stage")
  if stage = "" then stage=1



  '------------------------------------------------------------------
  if stage = 1 then
  '------------------------------------------------------------------

    response.write "<form action=""search.asp"" method=""get"">" &_
                   "<input type=""hidden"" name=""stage"" value=""2"">"&_
                   "<input type=""text"" id=""search"" name=""search"">" &_
                   "<input type=""submit"" value=""Search"">" &_
                   "</form>" 


  '------------------------------------------------------------------
  elseif stage = 2 then
  '------------------------------------------------------------------

    '--- grab the data from the form
    dim search
    search = Request.QueryString("search")



    '--- execute the query
    '                0       1            2
     SQL = " select ID, projectName, Description from projectstable"&_ 
            " where (projectName like ' %search% ' or description like ' %search% ')"

    set info=conn.execute(sql)

     if info.eof then
      response.write "    <div class=""box2"">"&chr(13)
      response.write "      Sorry, no records matching your query"&chr(13)
      response.write "    </div>"&chr(13)
    else
      response.write "<div class=""list"">" &_
                     "<table>" &_
                     "<tr>" &_
                     "<th>Title</th><th>Post</th>" &_
                     "</tr>"
      do
        response.write "<tr>" &_
                       "<td>"&info(1)&"</td><td>"&info(2)&"</td>"&_
                       "</tr>"
        info.movenext
      loop until info.eof
      response.write "</table></div>"
    end if

  '------------------------------------------------------------------
  end if  ' stage
  '------------------------------------------------------------------

  response.write "<br clear=""left""><br>"
  if stage=2 then 
    response.write "<i>that's all folks!</i><br><br>"&_
                   "<a href=""search.asp"">Search again</a> | " 

  end if
  response.write "<a href=""./"">back to main page</a>"
  conn.close
%>
</div>
</body>
</html>

1 个答案:

答案 0 :(得分:2)

您的查询需要更改以将搜索变量括在sql字符串中(vs搜索短语“search”):

SQL = " select ID, projectName, Description from projectstable"&_ 
      " where (projectName like '%" & search & "%' or description like '%" & search & "%')"

据说,这很容易被sql注入。这种方法要小心。请考虑使用参数化查询。

相关问题
最新问题