插入db,Object Required String

时间:2014-03-29 09:44:48

标签: sql database ms-access asp-classic

我需要在DB中插入一些数据,有一个问题..这给了我一个错误:

来源:

SET sql ="Insert Into Products (ProductName,SupID,CatID,Price,Pic,Description) Values( '"&pName&"','"&pbId&"','"&pcId&"','"&price&"','"&pic&"','"&desc&"')"
  

描述:需要的对象:'[string:“Insert Into Products”]'

我不明白他想要什么......

这是我的代码:

dim sql
dim price
dim desc
dim pName
dim pcId
dim pbId
dim pic
set pic = Request.Form("picUpload")
set desc = Request.Form("tbDescProduct")
set price= Request.Form("tbPriceProduct")
set pcId =Request.Form("ddlCategoryForProd")
set pbId =Request.Form("ddlBrandForProd")
set pName=Request.Form("tbProductName")
IF((bName<>"")AND(desc<>"")AND(price<>"")AND(pcId<>"-1")AND(pbId<>"-1")AND (pic<>"")) THEN

set con = Server.CreateObject("ADODB.Connection")
con.open "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" & Server.MapPath("WebData/DB.mdb") & ";"  
set rs = con.Execute("Select * FROM Products WHERE ProductName = '"&pName&"' and mode= true")
IF rs.EOF = true then           
  SET sql ="Insert Into Products (ProductName,SupID,CatID,Price,Pic,Description) Values( '"&pName&"','"&pbId&"','"&pcId&"','"&price&"','"&pic&"','"&desc&"')"
  SET rs =con.Execute(sql)
  response.write("<script language=""javascript"">alert('Product added succesfully!');</script>") 
ELSE
  response.write("<script language=""javascript"">alert('Product already exist!');</script>") 
END IF

'END IF

2 个答案:

答案 0 :(得分:3)

在VBScript,VBA和VB5 / 6中,SET需要分配对象引用;要分配任何其他类型的数据(包括字符串),只需删除它:

sql = "Insert Into Products (ProductName,SupID,CatID,Price,Pic,Description) Values( '"&pName&"','"&pbId&"','"&pcId&"','"&price&"','"&pic&"','"&desc&"')"

(在VBA和VB5 / 6中,你也可以在这里使用LET。)

分配SET调用结果时Request.Form("foo")的工作原因是因为Form集合是对象集合 - 后续针对""和{{{{}}的测试1}}仅有效,因为返回的对象具有默认的无参数属性或返回字符串兼容变体的方法。

答案 1 :(得分:1)

如果我猜测我说你的问题是你将SupIDCatID字段作为字符串传递它们可能是整数。以这种方式处理INSERT的问题是你让自己对SQL注入开放,你会遇到像你似乎在这里遇到的数据类型问题。

在与数据库交互时,您应尽量使用参数化查询。在Classic ASP中,执行此操作的最佳对象是ADODB.Command

以下是使用您的代码的示例;

  

注意:如果您遇到类似adParamInput的ADO命名常量问题,请查看下面的链接部分,了解如何在{{METADATA标记中使用global.asa标记1}}文件在您的应用程序中引用ADO类型库。

Dim cmd, sql, conn_string, rs, data

'Wouldn't recommend storing your database inside your website root, instead
'store it outside in another folder and set up a variable in an include file
'to store the location. That way it is not accessible to everyone.
conn_string = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" & Server.MapPath("WebData/DB.mdb") & ";"

Set cmd = Server.CreateObject("ADODB.Command")

sql = "SELECT * FROM Products WHERE ProductName = ?"
With cmd
  .ActiveConnection = conn_string
  .CommandType = adCmdText
  .CommandText = sql
  Call .Parameters.Append(.CreateParameter("@ProductName", adVarWChar, adParamInput, 50))
  Set rs = .Execute(, Array(pName))
  If Not rs.EOF Then data = rs.GetRows()
  Call rs.Close()
  Set rs = Nothing
End With

If IsArray(data) Then
  sql = ""
  sql = sql & "INSERT INTO Products (ProductName, SupID, CatID, Price, Pic, Description) " & vbCrLf
  sql = sql & "VALUES (?, ?, ?, ?, ?, ?)"

  Set cmd = Server.CreateObject("ADODB.Command")
  With cmd
    .ActiveConnection = conn_string
    .CommandType = adCmdText
    .CommandText = sql
    'Define Parameters
    'Making some assumptions about your data types, but you can modify these to fit
    'good guide for this is http://www.carlprothman.net/Technology/DataTypeMapping/tabid/97/Default.aspx
    Call .Parameters.Append(.CreateParameter("@ProductName", adVarWChar, adParamInput, 50))
    Call .Parameters.Append(.CreateParameter("@SupID", adInteger, adParamInput, 4))
    Call .Parameters.Append(.CreateParameter("@CatID", adInteger, adParamInput, 4))
    Call .Parameters.Append(.CreateParameter("@Price", adCurrency, adParamInput, 4))
    Call .Parameters.Append(.CreateParameter("@Pic", adVarWChar, adParamInput, 255))
    Call .Parameters.Append(.CreateParameter("@Description", adLongVarWChar, adParamInput, 1000))
    'Some of your variables may require conversion before setting the parameter values.
    .Parameters("@ProductName").Value = pName
    .Parameters("@SupID").Value = CLng(pbId)
    .Parameters("@CatID").Value = CLng(pcId)
    .Parameters("@Price").Value = price
    .Parameters("@Pic").Value = pic
    .Parameters("@Description").Value = desc

    'Execute Command
    .Execute()
  End With
  Set cmd = Nothing
  Call Response.write("<script language=""javascript"">alert('Product added succesfully!');</script>")
Else
  Call Response.Write("<script language=""javascript"">alert('Product already exist!');</script>") 
End If

<强>链接

相关问题
最新问题