我在经典的asp页面工作,我在执行sql命令时遇到错误,这是语法错误。我没有经典asp页面的知识,所以我请求一个人来解决它..
这是我的代码
exe = "INSERT INTO Item_table(Supplier_Profile_id,ImageType1,ImageType2,
Date_Made_Available,Date_last_edited,Approval_date,Approval_code,Item_number,On_hold,Duplicated_image,Order_ability,OmitFromSearch,View_order,PreviewAD,Item_type,Item_title,Item_dimensions,Item_price,Item_Price_Range,Search_Price_Point,Item_description,Date_image_uploaded,New_work_date,Product_code_General,Product_Code_Specific,Product_key_words,Product_media_code,MediaSpecificID,Product_style_code,Product_theme_code,Photo_credit,RootImage,ViewSearch,ViewSearch2,Best_Seller,MediaType,SortNum,BuyerHit,VisitorHit) VALUES("`
exe = exe & "" & safeNumber(ThisSupplier_Profile_id) & ","
exe = exe & "'" & Session("ImageType1") & "',"
exe = exe & "'" & Session("ImageType2") & "',"
exe = exe & "'" & now()& "',"
exe = exe & "'" & now()& "',"
exe = exe & "NULL,'N',"
exe = exe & "'" & HandleDoubleQuotes(safeEntry(Request("Item_number"))) & "',"
exe = exe & "'" & Request("On_hold") & "'," '--- On_hold
exe = exe & "'',"
exe = exe & "'" & Request("Order_ability") & "',"
exe = exe & "'',"
exe = exe & "'" & safeNumber(Request("View_order")) & "',"
exe = exe & "'',"
exe = exe & "'" & safeNumber(Request("Item_type")) & "',"
exe = exe & "'" & HandleDoubleQuotes(safeEntry(Request("Item_title"))) & "',"
exe = exe & "'" & HandleDoubleQuotes(safeEntry(Request("Item_dimensions"))) & "',"
exe = exe & "'',"
exe = exe & "'',"
exe = exe & "'" & safeNumber(Request("Search_Price_Point")) & "',"
exe = exe & "'" & HandleDoubleQuotes(safeEntry(Request("Item_description"))) & "',"
exe = exe & "'" & now() & "',"
exe = exe & "" & Session("insertNew_work_date") & ","
exe = exe & "'" & safeNumber(Product_code_General) & "',"
exe = exe & "'" & safeNumber(Product_Code_Specific) & "',"
exe = exe & "'" & HandleDoubleQuotes(safeEntry(Product_key_words)) & "',"
exe = exe & "'" & MediaTypeID & "'," '--- Product_media_code
exe = exe & "'" & MediaSpecificID & "',"
exe = exe & "'" & safeNumber(Request("Product_style_code")) & "',"
exe = exe & "'" & safeNumber(Request("Product_theme_code")) & "',"
exe = exe & "'" & HandleDoubleQuotes(safeEntry(Request("Photo_credit"))) & "',"
exe = exe & "''," '--- RootImage
exe = exe & "'" & safeEntry(Request("ViewSearch1")) & "',"
exe = exe & "'" & safeEntry(Request("ViewSearch2")) & "',"
exe = exe & "'" & safeEntry(Request("Best_Seller")) & "',"
exe = exe & "'" & safeEntry(Request("Media")) & "',"
exe = exe & "0,"
exe = exe & "0," '--- BuyerHit
exe = exe & "0); select @@identity" '--- VisitorHit
Set RS1 = Conn.Execute(exe).nextrecordset
错误:“,”
附近的Incorect语法答案 0 :(得分:0)
首先,如果您倾向于认真对待stackoverflow.com,我建议您阅读stackoverflow tour
然后,对于您的问题,错误应该来自SQL服务器,而不是asp。 你的代码只收集所有变量,添加到字符串" exe"并将该字符串发送到SQL Server。 因此,有两个地方可能出错:
1) exe = exe & "'',"
它将通过一个'两个单引号'到SQL服务器
2) Your method: HandleDoubleQuotes()
检查此方法,返回值是否为带有黑名单字符的字符串?
最后,我建议您使用Parameters来传入数据。注入时应该更安全,并且处理所有语法错误。
编辑: 第1点是有效的,由保罗更正。
答案 1 :(得分:0)
虽然不是一个完整的答案,但你可以做很多事情。
首先,如果您不遵循Juergen的建议并将代码放入类似stored procedure的内容中,那么您可以通过多种方式大量简化代码。
首先,尝试使用VB脚本的行扩展器字符,而不是使用连接和连接。另外,打破你的线条,这样它实际上是清晰的,如下所示:
exe = "INSERT INTO Item_table(Supplier_Profile_id,ImageType1,ImageType2," & _
"Date_Made_Available,Date_last_edited,Approval_date,Approval_code,Item_number," & _
"On_hold,Duplicated_image,Order_ability,OmitFromSearch,View_order," & _
"PreviewAD,Item_type,Item_title,Item_dimensions,Item_price," & _
"Item_Price_Range,Search_Price_Point, Item_description,Date_image_uploaded," & _
"New_work_date,Product_code_General, Product_Code_Specific,Product_key_words," & _
"Product_media_code,MediaSpecificID, Product_style_code,Product_theme_code," & _
"Photo_credit,RootImage,ViewSearch, ViewSearch2,Best_Seller,MediaType,SortNum," & _
"BuyerHit,VisitorHit) VALUES(" & _
safeNumber(ThisSupplier_Profile_id) & "," & _
"'" & Session("ImageType1") & "'," & _
"'" & Session("ImageType2") & "'," & _
"'" & now()& "'," & _
"'" & now()& "'," & _
"NULL,'N'," & _
"'" & HandleDoubleQuotes(safeEntry(Request("Item_number"))) & "'," & _
"'" & Request("On_hold") & "'," & _
"''," & _
"'" & Request("Order_ability") & "'," & _
"''," & _
"'" & safeNumber(Request("View_order")) & "'," & _
"''," & _
"'" & safeNumber(Request("Item_type")) & "'," & _
"'" & HandleDoubleQuotes(safeEntry(Request("Item_title"))) & "'," & _
"'" & HandleDoubleQuotes(safeEntry(Request("Item_dimensions"))) & "'," & _
"''," & _
"''," & _
"'" & safeNumber(Request("Search_Price_Point")) & "'," & _
"'" & HandleDoubleQuotes(safeEntry(Request("Item_description"))) & "'," & _
"'" & now() & "'," & _
Session("insertNew_work_date") & "," & _
"'" & safeNumber(Product_code_General) & "'," & _
"'" & safeNumber(Product_Code_Specific) & "'," & _
"'" & HandleDoubleQuotes(safeEntry(Product_key_words)) & "'," & _
"'" & MediaTypeID & "'," & _
"'" & MediaSpecificID & "'," & _
"'" & safeNumber(Request("Product_style_code")) & "'," & _
"'" & safeNumber(Request("Product_theme_code")) & "'," & _
"'" & HandleDoubleQuotes(safeEntry(Request("Photo_credit"))) & "'," & _
"''," & _
"'" & safeEntry(Request("ViewSearch1")) & "'," & _
"'" & safeEntry(Request("ViewSearch2")) & "'," & _
"'" & safeEntry(Request("Best_Seller")) & "'," & _
"'" & safeEntry(Request("Media")) & "'," & _
"0," & _
"0," & _
"0); SELECT @@identity"
其次,在经典ASP中更好to use parameters(任何编程语言,任何语言,真的)。
第三,根据您在上面的帖子中粘贴的内容,我怀疑您的"INSERT INTO Item_table(Supplier_Profile_id, ...行中有一个换行符,就在Date_Made_Available, ...之前。这可以解释上面帖子中的空白行。