这里只是一个语法问题。我到目前为止使用SQL和ASP并拥有此代码:
set rs=Server.CreateObject("ADODB.recordset")
rs.Open "Select * from Questions", conn
sql="INSERT INTO Questions(QuestionText, QuestionType)"
sql=sql & " VALUES "
sql=sql & "('" & qtext & "',"
sql=sql & "'" & "checkbox" & "');"
sql=sql & "DECLARE @testID int;"
sql=sql & "SET @testID = @@identity;"
on error resume next
conn.Execute sql,recaffected
if err<>0 then
Response.Write("An Error Has Occured")
else
end if
如何将SQL变量@testID
传递给ASP,以便可以在response.write
示例:
Dim, ASPID
ASPID = @testID
Response.write(ASPID)
(显然这是错的) 谁能告诉我怎么做? 对不起,如果这对某些人来说太简单了:P
答案 0 :(得分:2)
试试这个;
' What is this for?
'set rs=Server.CreateObject("ADODB.recordset")
'rs.Open "Select * from Questions", conn
Dim cmd, rs, sql, new_id, yourconnstring
sql = ""
sql = sql & "INSERT INTO Questions(QuestionText, QuestionType) VALUES (?, ?);" & vbCrLf
sql = sql & "SELECT SCOPE_IDENTITY();"
Set cmd = Server.CreateObject("ADODB.Command")
With cmd
.ActiveConnection = yourconnstring 'No need for separate connection object
.CommandType = adCmdText
.CommandText = sql
.Parameters.Append(.CreateParameter("@questiontext", adVarWChar, adParamInput, 255)
.Parameters.Append(.CreateParameter("@questiontype", adVarWChar, adParamInput, 255)
Set rs = .Execute(, Array(qtext, "checkbox"))
If Not rs.EOF Then new_id = rs(0)
Call rs.Close()
Set rs = Nothing
End With
Set cmd = Nothing
If Len(new_id) < 1 Then
Call Response.Write("An Error Has Occured")
Else
Call Response.Write("ID is " & new_id)
End If
未经测试,但这是我倾向于这样做而不必担心处理撇号和恶意代码。
答案 1 :(得分:-1)
不使用命令对象的替代方法
Set rs=Server.CreateObject("ADODB.recordset")
rs.Open "Select * from Questions", conn
...
rs.Close
sql="INSERT INTO Questions(QuestionText, QuestionType)" & _
" VALUES " & _
"('" & qtext & "'," & _
"'" & "checkbox" & "');" & _
"SELECT SCOPE_IDENTITY() AS testid;"
On Error Resume Next
rs.Open sql, conn
recaffected = rs("testid")
rs.Close : Set rs = Nothing
If err.Number <> 0 Then
Response.Write("An Error Has Occured")
Else
End If
On Error Goto 0
您没有通过“qtext”从用户输入传递未经检查的内容是明确的 只是一个
Replace(qtext,"'","''")
可能还不够。 Cleaner将使用这样的函数:
Function SQLScrub(ByVal val)
dim HostileAttemptString(5)
HostileAttemptString(0) = "EXEC(@"
HostileAttemptString(1) = "exec(@"
HostileAttemptString(2) = "and%201="
HostileAttemptString(3) = "and%20char("
HostileAttemptString(4) = "exec%28@"
HostileAttemptString(5) = "EXEC%28@"
dim str,rtnVal
rtnVal = val
rtnVal = Replace(val,"'","''")
For Each str in HostileAttemptString
rtnVal = Replace(rtnVal,str,"")
Next
SQLScrub = rtnVal
end function
语法:
qtext = SQLScrub(original_userinput)