ASP中的语句错误结束

Question

将数据插入数据库时​​，会发生以下错误

  

＆＃34;声明的结尾＃34;

 sqlstr = "INSERT INTO tblContact (Email,FirstName,LastName,Comments) VALUES ('" & Email & "', '" & First Name & "','" & Last Name & "','" & Comments & "')"
 objConn.Execute sqlstr

Answer 1

尝试为您的名字和姓氏变量使用单字标识符：

sqlstr = "INSERT INTO tblContact (Email,FirstName,LastName,Comments) " & _
         " VALUES ('" & Email & "', '" & FirstName & "','" & LastName & "','" & Comments & "')"
 objConn.Execute sqlstr

假设您的VBScript中有这些名称的变量，这将解决您Expected end of statement的当前问题。

您的第二个问题是代码的SQL注入漏洞。

要帮助解决该问题，请参阅：

• Classic ASP SQL Injection Protection
• http://www.stardeveloper.com/articles/display.html?article=2008112501&page=1

Answer 2

您可能在其中一个值中包含单引号，从而导致SQL无效。您必须转义单引号，但更好地重写代码以使用参数。

sqlstr = "INSERT INTO tblContact (Email, FirstName, LastName, Comments) " & _
     " VALUES ('" & Replace(Email, "'", "''") & "', '" & Replace(FirstName, "'", "''") & "', '" & Replace(LastName, "'", "''") & "', '" & Replace(Comments, "'", "''") & "')"
objConn.Execute sqlstr