ASP Classic VBscript参数化SQL查询?

时间:2020-12-16 01:35:49

First post but thank you for all the help I've gotten from this site so far.

第一篇文章,但感谢您迄今为止从本网站获得的所有帮助。

I'm trying to parameterize an SQL query:

我正在尝试参数化SQL查询:

query_url = Request.QueryString("ID")

Set rs = Server.CreateObject("ADODB.Recordset")

Set cmd = server.createobject("ADODB.Command")

cmd.ActiveConnection = Internet_String
cmd.CommandType = adCmdText
cmd.CommandText = "SELECT NAME FROM OWNER.TABLE WHERE ID = " + "?" + ""

Set param = cmd.CreateParameter(, , ,200 , Replace(query_url, "'", "''"))

cmd.Parameters.Append param

Set rs = cmd.Execute()

So if I use (no parameters):

所以,如果我使用(没有参数):

SELECT NAME FROM OWNER.TABLE WHERE ID = " + Replace(query_url, "'", "''") + ""

It works fine, so I know my DB connection and query_url are working. Is something wrong with my SQL statement in the parameterized query? I've tried it so many different ways.

它工作正常,所以我知道我的数据库连接和query_url正在工作。参数化查询中的SQL语句有问题吗?我尝试过很多不同的方式。

When I run my parameterized query in Dreamweaver the page will not load anytime, just spins infinitely, I'm assuming it's not getting a response back from the DB.

当我在Dreamweaver中运行参数化查询时,页面将无法随时加载,只是无限旋转,我假设它没有从数据库中获得响应。

Thanks!

谢谢!

EDIT

编辑

Alright thanks for the help so far, I'm getting closer. The page loads now but the fields are still blank, heres what I've got so far:

好的,谢谢你到目前为止的帮助,我越来越近了。页面现在加载,但字段仍然是空白,这是我到目前为止所得到的:

Set rs = Server.CreateObject("ADODB.Recordset")

Set cmd = server.createobject("ADODB.Command")

cmd.ActiveConnection = internet_string    
cmd.CommandType = adCmdText

cmd.CommandText = "SELECT NAME FROM OWNER.TABLE WHERE ID = @param"

Set param = cmd.CreateParameter("@param", , ,200 , query_url)

cmd.Parameters.Append param

response.Write(param)

Set rs = cmd.Execute()

Here's how I'm referencing the data:

以下是我引用数据的方式:

<strong>Name: <%=(rs.Fields.Item("NAME").Value)%></strong>

Any ideas?

有任何想法吗?

1 个解决方案

#1


1  

Use a named placeholder;

使用命名占位符;

cmd.CommandText = "SELECT NAME FROM OWNER.TABLE WHERE ID = @ID"

Then provide its value

然后提供它的价值

Set param = cmd.CreateParameter("@ID", , ,200, Replace(query_url, "'", "''"))

FYI you do not need to escape ' in an parameterized query

在参数化查询中,您不需要转义'

#1


1  

Use a named placeholder;

使用命名占位符;

cmd.CommandText = "SELECT NAME FROM OWNER.TABLE WHERE ID = @ID"

Then provide its value

然后提供它的价值

Set param = cmd.CreateParameter("@ID", , ,200, Replace(query_url, "'", "''"))

FYI you do not need to escape ' in an parameterized query

在参数化查询中,您不需要转义'