我正在尝试使用参数化来防止在我使用的 HMI 中的一个文本框中进行 SQL 注入。
已经为我收集的解决方案寻找了很多东西,这取决于我可以使用哪种 SQL 语法,?
或者@
告诉系统这是参数,但它们都抛出了错误。
Dim DBCommand
Dim DBRecordSet
Dim Connection
Dim sqlString
Set DBRecordSet = CreateObject("ADODB.Recordset")
Set DBCommand = CreateObject("ADODB.Command")
Set Connection = GetDBConnection("Test")
sqlString = "Insert into [WorkCommentLog] (Worklog_WorkID, Comment,
InsertTime, WrittenBy) values" &_
"('"& WorkID &"' , @Comm , GetDate() , '" & User.Value &"');"
DBCommand.Parameters.Append DBCommand.CreateParameter ("@Comm",
adVarChar, adParamInput, 255, WinCC_Comment.Value)
DBCommand.CommandText = sqlString
DBCommand.Execute(adExecuteNoRecords)
Connection.Close
Dim DBCommand
Dim DBRecordSet
Dim Connection
Dim sqlString
Set DBRecordSet = CreateObject("ADODB.Recordset")
Set DBCommand = CreateObject("ADODB.Command")
Set Connection = GetDBConnection("Test")
sqlString = "Insert into [WorkCommentLog] (Worklog_WorkID, Comment, InsertTime, WrittenBy) values" &_
"('"& WorkID &"' , ? , GetDate() , '" & User.Value &"');"
DBCommand.Parameters.Append DBCommand.CreateParameter ("Comment", adVarChar, adParamInput, 255, WinCC_Comment.Value)
DBCommand.CommandText = sqlString
DBCommand.Execute(adExecuteNoRecords)
Connection.Close
第一个代码段抛出此错误:
必须声明标量变量“@Com”
而第二个代码片段抛出此错误:
没有为一个或多个必需参数提供值