3

我正在尝试在 ASP Classic 中编写参数化查询,它开始感觉就像我在用头撞墙。我收到以下错误:

必须声明标量变量“@something”。

我发誓这就是你好线的作用,但也许我错过了一些东西......

<% OPTION EXPLICIT %>
<!-- #include file="../common/adovbs.inc" -->
<%

    Response.Buffer=false

    dim conn,connectionString,cmd,sql,rs,parm

    connectionString = "Provider=SQLOLEDB.1;Integrated Security=SSPI;Data Source=.\sqlexpress;Initial Catalog=stuff"
    set conn = server.CreateObject("adodb.connection")
    conn.Open(connectionString)

    set cmd = server.CreateObject("adodb.command")
    set cmd.ActiveConnection = conn
    cmd.CommandType = adCmdText
    cmd.CommandText = "select @something"
    cmd.NamedParameters = true
    cmd.Prepared = true
    set parm = cmd.CreateParameter("@something",advarchar,adParamInput,255,"Hello")
    call cmd.Parameters.append(parm)
    set rs = cmd.Execute
    if not rs.eof then
        Response.Write rs(0)
    end if


%>
4

4 回答 4

4

Here's some sample code from an MSDN Library article on preventing SQL injection attacks. I cannot find the original URL, but googling the title keywords (Preventing SQL Injections in ASP) should get you there quick enough. Hope this real-world example helps.

strCmd = "select title, description from books where author_name = ?"
Set objCommand.ActiveConnection = objConn
objCommand.CommandText = strCmd
objCommand.CommandType = adCmdText
Set param1 = objCommand.CreateParameter ("author", adWChar, adParamInput, 50)
param1.value = strAuthor
objCommand.Parameters.Append param1
Set objRS = objCommand.Execute()

See the following page on MSDN, near the bottom, referring specifically to named parameters.

MSDN example

于 2009-07-07T15:07:47.663 回答
3 
with server.createobject("adodb.command")
  .activeConnection = application("connection_string")
  .commandText = "update sometable set some_col=? where id=?"
  .execute , array(some_value, the_id)
end with
于 2009-07-07T19:08:34.243 回答
3

在这种情况下,ADO 将期待问号而不是实际参数名称。现在,SQL“select @something”实际上并没有参数化:它把“@something”看作一个(未声明的)SQL变量,而不是一个参数。将您的 CommandText 行更改为:

cmd.CommandText = "select ?"

我认为你会得到你正在寻找的结果。

祝你好运!

于 2009-07-07T14:44:50.620 回答
0

我不确定您的查询打算完成什么。我也不确定选择列表中是否允许使用参数。MSDN 曾经(很多年前,可能)有一篇关于在查询中允许参数的位置的不错的文章,但我现在似乎找不到它。

OTTOMH,您向 ADO 提供参数值的尝试看起来是正确的。如果你做这样的事情,你的查询会执行吗?

SELECT 1 FROM sometable WHERE somefield = @something
于 2009-07-07T14:52:01.560 回答