将SQL变量传递给ASP

Question

这里只是一个语法问题。我到目前为止使用SQL和ASP并拥有此代码：

set rs=Server.CreateObject("ADODB.recordset")
rs.Open "Select * from Questions", conn

sql="INSERT INTO Questions(QuestionText, QuestionType)"
sql=sql & " VALUES "
sql=sql & "('" & qtext & "',"
sql=sql & "'" & "checkbox" & "');" 
sql=sql & "DECLARE @testID int;"
sql=sql & "SET @testID = @@identity;"

on error resume next
conn.Execute sql,recaffected
if err<>0 then
    Response.Write("An Error Has Occured")
else

end if

如何将SQL变量@testID传递给ASP，以便可以在response.write

中编写

示例：

Dim, ASPID
ASPID = @testID
Response.write(ASPID)

（显然这是错的） 谁能告诉我怎么做？ 对不起，如果这对某些人来说太简单了：P

Answer 1

试试这个;

' What is this for?
'set rs=Server.CreateObject("ADODB.recordset")
'rs.Open "Select * from Questions", conn

Dim cmd, rs, sql, new_id, yourconnstring

sql = ""
sql = sql & "INSERT INTO Questions(QuestionText, QuestionType) VALUES (?, ?);" & vbCrLf
sql = sql & "SELECT SCOPE_IDENTITY();"

Set cmd = Server.CreateObject("ADODB.Command")
With cmd
  .ActiveConnection = yourconnstring 'No need for separate connection object
  .CommandType = adCmdText
  .CommandText = sql
  .Parameters.Append(.CreateParameter("@questiontext", adVarWChar, adParamInput, 255)
  .Parameters.Append(.CreateParameter("@questiontype", adVarWChar, adParamInput, 255)
  Set rs = .Execute(, Array(qtext, "checkbox"))
  If Not rs.EOF Then new_id = rs(0)
  Call rs.Close()
  Set rs = Nothing
End With
Set cmd = Nothing

If Len(new_id) < 1 Then
  Call Response.Write("An Error Has Occured")
Else
  Call Response.Write("ID is " & new_id)
End If

未经测试，但这是我倾向于这样做而不必担心处理撇号和恶意代码。

Answer 2

不使用命令对象的替代方法

Set rs=Server.CreateObject("ADODB.recordset")
rs.Open "Select * from Questions", conn
...
rs.Close
sql="INSERT INTO Questions(QuestionText, QuestionType)" & _
    " VALUES " & _
    "('" & qtext & "'," & _
    "'" & "checkbox" & "');" & _
    "SELECT SCOPE_IDENTITY() AS testid;"

On Error Resume Next
rs.Open sql, conn
recaffected = rs("testid")
rs.Close : Set rs = Nothing
If err.Number <> 0 Then
   Response.Write("An Error Has Occured")
Else
End If
On Error Goto 0

您没有通过“qtext”从用户输入传递未经检查的内容是明确的 只是一个

Replace(qtext,"'","''") 

可能还不够。 Cleaner将使用这样的函数：

Function SQLScrub(ByVal val)
   dim HostileAttemptString(5)
       HostileAttemptString(0) = "EXEC(@"
       HostileAttemptString(1) = "exec(@" 
       HostileAttemptString(2) = "and%201=" 
       HostileAttemptString(3) = "and%20char(" 
       HostileAttemptString(4) = "exec%28@" 
       HostileAttemptString(5) = "EXEC%28@"

   dim str,rtnVal
   rtnVal = val
   rtnVal = Replace(val,"'","''")

   For Each str in HostileAttemptString
    rtnVal = Replace(rtnVal,str,"")
   Next

   SQLScrub = rtnVal 
end function

语法：

qtext = SQLScrub(original_userinput)