0

我正在尝试在 ADO 中编写一段代码,它将根据用户在 HTML 表单中输入的内容显示来自数据库的数据。我已经尝试通过将用户的输入设置为变量,然后设置我的 sql 以使用此变量查询数据库,但是它不起作用。我的代码目前如下所示:

<!DOCTYPE html>
<html>
<title>
Query
</title>
 <body>
 <form name="teacherReg" action="http://hr-computing/public/AlexS/Tests/UserQuery.asp" method="POST">
<input type="text" name="firstnameQuery">
<input type="submit" value="submit">
      </form>
<%
Query=request.form("firstnameQuery")
set conn=Server.CreateObject("ADODB.Connection")
conn.Open ="{private}"
set rs=Server.CreateObject("ADODB.recordset")
sql="SELECT firstname, lastname, PASSWORD FROM teachers WHERE firstname = Query"
rs.Open sql,conn


%>
<%
do until rs.EOF
   for each x in rs.Fields
     Response.Write(x.name)
     Response.Write(" = ")
     Response.Write(x.value & "<br>")
   next
   Response.Write("<br>")
   rs.MoveNext
 loop

rs.close

%>


</body>
</html>

我目前收到错误

用于 ODBC 驱动程序的 Microsoft OLE DB 提供程序错误“80040e14”

[MySQL][ODBC 3.51 驱动程序][mysqld-5.0.45-community-nt]“where 子句”中的未知列“查询”

我不明白为什么它不起作用,有什么帮助吗?

4

1 回答 1

1

您没有将值传递给query命令

尝试

    Dim Conn As ADODB.Connection
Dim Cmd As ADODB.Command
Dim Parm As ADODB.Parameter
Dim Rset as ADODB.Recordset

Set Conn = New ADODB.Connection
Cn.Open "{private}"
Set Cmd = New ADODB.Command

Cmd.ActiveConnection = Conn 
Cmd.CommandText = "SELECT firstname, lastname, PASSWORD FROM teachers WHERE firstname = ?;"
Cmd.CommandType = adCmdText
Set Parm = Cmd.CreateParameter("firstname", adVarChar, adParamInput)
Parm.Value = Query
Cmd.Parameters.Append Parm 
Set Rset = Cmd.Execute

您可以通过更改为它来执行...

sql="SELECT firstname, lastname, PASSWORD FROM teachers WHERE firstname = '" & Query & "'"

但正如每个人都会告诉你的那样,这对 SQL 注入是开放的,而不是一个好主意

于 2013-10-18T09:07:55.583 回答