我正在尝试使用经典ASP获取自动完成文本框,下面的Jquery是我目前拥有的代码,但搜索框中没有任何内容。
数据库名称=测试
数据库用户登录= sql
密码=密码
表名=产品
列是: 产品编号, 名称, ItemNumber
我正在尝试允许用户按产品名称进行搜索。我也有使用以下代码注入SQL的风险吗?提前谢谢!
search.asp:
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.6.2 /jquery.js" ></script>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.8.16/jquery-ui.js" ></script>
<link rel="stylesheet" type="text/css" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.16/themes/base/jquery-ui.css"/>
<!-- SCRIPT FOR AUTOCOMPETE SEARCH BOX //-->
<script type="text/javascript" language="javascript">
<!--
$(function() {
$( "#productname" ).autocomplete({
source: "source.asp",
minLength: 2
});
});
// -->
</script>
</head>
<body>
<p> </p>
<div>
<input type="text" id="productname">
</div>
<p> </p>
</body>
</html>
我的源页面是:
<%
Dim keywords
Dim keywords_cmd
Dim output
Set keywords_cmd = Server.CreateObject ("ADODB.Command")
keywords_cmd.ActiveConnection = "Provider=SQLNCLI10;Server=LOCALHOST\SQL; Database=test;Uid=sql; Pwd=Password;"
keywords_cmd.CommandText = "SELECT ProductId, Name FROM product where Name like '%" & Request.QueryString("term") & "%'"
keywords_cmd.Prepared = true
Set keywords = keywords_cmd.Execute
output = "["
While (NOT keywords.EOF)
output = output & "{""ProductId"":""" & keywords.Fields.item("ProductId") & """,""value"":""" & keywords.Fields.Item("Name") & """},"
keywords.MoveNext()
While end
keywords.Close()
Set keywords = Nothing
output=Left(output,Len(output)-1)
output = output & "]"
response.write output
%>
答案 0 :(得分:1)
首先,&#34;是&#34;。此代码对SQL注入开放。这是因为您将QueryString参数直接用于SQL查询:
"SELECT ProductId, Name FROM product where Name like '%" & Request.QueryString("term") & "%'"
你应该做的是使用参数。
另外,我认为jQueryUI自动完成需要一个label属性。并且您的脚本不会自动返回内容类型:application / json。
这就是我所做的:
Response.CodePage = 65001
Response.CharSet = "UTF-8"
Response.ContentType = "application/json"
Dim keywords, keywords_cmd, output, firstItem
Set keywords_cmd = Server.CreateObject ("ADODB.Command")
With keywords_cmd
.CommandType = adCmdText
.ActiveConnection = "Provider=SQLNCLI10;Server=LOCALHOST\SQL; Database=test;Uid=sql; Pwd=Password;"
.CommandText = "SELECT ProductId, Name FROM product where Name like ?"
.Parameters.Append .CreateParamter("@term", adVarchar, adParamInput, 200, "%" & Request.QueryString("term") & "%")
Set keywords = .Execute
End With
output = "["
firstItem = True
While (NOT keywords.EOF)
If Not firstItem Then output = output & ","
output = output & _
"{""ProductId"":""" & keywords.Fields.item("ProductId") & """," & _
"""value"":""" & keywords.Fields.Item("ProductId") & """," & _
"""label"":""" & keywords.Fields.Item("Name") & """}"
keywords.MoveNext()
firstItem = False
While end
output = output & "]"
keywords.Close()
Set keywords = Nothing
response.write output
答案 1 :(得分:0)
我遇到了同样的问题并通过添加如下所示的Response.ContentType行来修复它。
... 输出=输出&amp; &#34;]&#34;
Response.ContentType =&#34; application / json&#34;
response.write output