SQL使用撇号插入数据库

时间:2014-02-26 03:32:03

标签: sql asp-classic

我在经典ASP上运行程序并使用以下内容插入数据库:

CreateJob.CommandText = "INSERT INTO dbo.Jobs (JobID, CompanyName, DateReceived, DateOfDocument, ClientReference, Subject, TypeOfService,DueDate,AssignedAgent, ClientName, Plaintiff, Defendant1, Defendant2, Defendant3, CourtJurisdiction, Court, Subtype, CourtNumber, Amount, ServiceMethod, JobNotes, JobStatus, CreatedBy, CreatedDate)  VALUES (" & Request.Form("jobid") & ", '""" & Request.Form("compname") & """', '" & Request.Form("datereceived") & "','" & Request.Form("dateofdoc") & "', '" & Request.Form("clientref") & "', '" & Request.Form("subjects") & "', '" & Request.Form("TypeOfService") & "', '" & Request.Form("duedate") & "', '" & Request.Form("AssignedAgent") & "', '" & Request.Form("ClientName") & "', '" & Request.Form("Plaintiff") & "', '" & Request.Form("Defendant1") & "', '" & Request.Form("Defendant2") & "', '" & Request.Form("Defendant3") & "', '" & Request.Form("CourtJurisdiction") & "', '""" &  Request.Form("Court") & """', '" & Request.Form("SubType") & "', '" & Request.Form("CourtNumber") & "', '" & Request.Form("Amount") & "','" & Request.Form("ServiceMethod") & "','" & Request.Form("JobNotes") & "', 'OPEN', '" & Session("LoggedName") & "', CURRENT_TIMESTAMP ) "

但是,如果其中一个值有撇号,程序崩溃,我不知道如何逃避它。

由于

1 个答案:

答案 0 :(得分:3)

替换不是这里的方法,您已经在使用ADODB.Command对象,所以为什么不使用parameterised query

试试这个;

由于您没有提供有关您的字段类型的信息,因此我只能进行推测,而是添加了[datatype][size]占位符,以便替换为ADO data type constants。本文中关于T-SQL中数据类型如何映射到的良好资源 - Data Type Mapping 

sql = ""
sql = sql & "INSERT INTO dbo.Jobs (" & vbCrLf
sql = sql & "JobID, CompanyName, DateReceived, DateOfDocument, ClientReference" & vbCrLf
sql = sql & ", Subject, TypeOfService,DueDate,AssignedAgent, ClientName, Plaintiff" & vbCrLf
sql = sql & ", Defendant1, Defendant2, Defendant3, CourtJurisdiction, Court" & vbCrLf
sql = sql & ", Subtype, CourtNumber, Amount, ServiceMethod, JobNotes, JobStatus" & vbCrLf
sql = sql & ", CreatedBy, CreatedDate" & vbCrLf
sql = sql & ") VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);"

With CreateJob
    .ActiveConnection = "yourconnectionstring"
    .CommandType = adCmdText
    .CommandText = sql
    'Add your parameters (all 24 of them in order)
    'Assumed JobID is int which equates to adInteger ADO data type constant.
    .Parameters.Append(.CreateParameter("@JobID", adInteger, adParamInput, 4))
    .Parameters.Append(.CreateParameter("@CompanyName", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@DateReceived", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@DateOfDocument", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@ClientReference", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@Subject", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@TypeOfService", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@DueDate", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@AssignedAgent", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@ClientName", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@Plaintiff", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@Defendant1", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@Defendant2", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@Defendant3", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@CourtJurisdiction", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@Court", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@Subtype", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@CourtNumber", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@Amount", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@ServiceMethod", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@JobNotes", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@JobStatus", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@CreatedBy", [datatype], adParamInput, [size]))
    .Parameters.Append(.CreateParameter("@CreatedDate", [datatype], adParamInput, [size]))

    'Specify your parameter values may need some conversion based on what you are passing.
    .Parameters("@JobId").Value = Request.QueryString("jobid")
    'Add the other 23 parameters as the above line.
    '...

    'Doing an INSERT no need to return recordset
    Call .Execute(adExecuteNoRecords)
End With
Set CreateJob = Nothing
相关问题
最新问题