有人可以将此作为一个查询吗?

时间:2022-04-20 01:30:02

So I was just searching how to do an "INSERT INTO" query and found this:

所以我只是在搜索如何进行“INSERT INTO”查询并发现:

    sql="INSERT INTO Customers (ID,firstName,"
    sql=sql & "lastName)"
    sql=sql & " VALUES "
    sql=sql & "('" & Request.Form("id") & "',"
    sql=sql & "'" & Request.Form("firstname") & "',"
    sql=sql & "'" & Request.Form("lastname") & "')"

I know it works but I want to make it a single query without all the sql=sql's

我知道它的工作原理,但我想让它成为一个没有所有sql = sql的查询

2 个解决方案

#1


2  

You took the route of a quick hack as stated in your comments by doing rhis:

你按照你的评论中的说法采取了快速破解的路线:

sql="INSERT INTO Customers (ID,firstName,lastName) VALUES ('" & Request.Form("id") & "','" & Request.Form("fistname") & "','" & Request.Form("lastname") & "')" 

Let me persist in stating that to prevent several issues (sql injection being one of them) you could leverage the use of paramterized queries.
I assume you have an ADO command somewhere after your sql statement. It is much safer if you use command parameters to send parameters from the website to the query.

让我坚持说要防止出现几个问题(sql注入就是其中之一),你可以利用参数化查询。我假设你的sql语句之后某处有一个ADO命令。如果使用命令参数将参数从网站发送到查询,则会更安全。

command.CommandText = "INSERT INTO Customers (ID,firstName,lastName) VALUES (?,?,?)"

Set param = command.CreateParameter ("id", adInteger, adParamInput)
param.value = Request.Form("id") 
command.Parameters.Append param 

Set param2 = command.CreateParameter ("firstname", adVarWChar, adParamInput, 50)
param2.value = Request.Form("firstname") 
command.Parameters.Append param2 

Set param3 = command.CreateParameter ("lastname", adVarWChar, adParamInput, 50)
param3.value = Request.Form("lastname") 
command.Parameters.Append param3 

command.Execute

Have a look at Command Object Parameters for more background.

有关更多背景信息,请查看命令对象参数。

#2


-5  

You can do like this:

你可以这样做:

string sql = string.Format("INSERT INTO Customers(Id,FirstName,LastName) VALUES({0},'{1}','{2}')", param0, param1, param2);

string sql = string.Format(“INSERT INTO Customers(Id,FirstName,LastName)VALUES({0},'{1}','{2}')”,param0,param1,param2);

It Works! But be careful this way have SQL Injection issues.

有用!但是请注意这种方式有SQL注入问题。

#1


2  

You took the route of a quick hack as stated in your comments by doing rhis:

你按照你的评论中的说法采取了快速破解的路线:

sql="INSERT INTO Customers (ID,firstName,lastName) VALUES ('" & Request.Form("id") & "','" & Request.Form("fistname") & "','" & Request.Form("lastname") & "')" 

Let me persist in stating that to prevent several issues (sql injection being one of them) you could leverage the use of paramterized queries.
I assume you have an ADO command somewhere after your sql statement. It is much safer if you use command parameters to send parameters from the website to the query.

让我坚持说要防止出现几个问题(sql注入就是其中之一),你可以利用参数化查询。我假设你的sql语句之后某处有一个ADO命令。如果使用命令参数将参数从网站发送到查询,则会更安全。

command.CommandText = "INSERT INTO Customers (ID,firstName,lastName) VALUES (?,?,?)"

Set param = command.CreateParameter ("id", adInteger, adParamInput)
param.value = Request.Form("id") 
command.Parameters.Append param 

Set param2 = command.CreateParameter ("firstname", adVarWChar, adParamInput, 50)
param2.value = Request.Form("firstname") 
command.Parameters.Append param2 

Set param3 = command.CreateParameter ("lastname", adVarWChar, adParamInput, 50)
param3.value = Request.Form("lastname") 
command.Parameters.Append param3 

command.Execute

Have a look at Command Object Parameters for more background.

有关更多背景信息,请查看命令对象参数。

#2


-5  

You can do like this:

你可以这样做:

string sql = string.Format("INSERT INTO Customers(Id,FirstName,LastName) VALUES({0},'{1}','{2}')", param0, param1, param2);

string sql = string.Format(“INSERT INTO Customers(Id,FirstName,LastName)VALUES({0},'{1}','{2}')”,param0,param1,param2);

It Works! But be careful this way have SQL Injection issues.

有用!但是请注意这种方式有SQL注入问题。