1. 首頁
  2. 問答
  3. SQL查詢不插入正確的值到數據庫

SQL查詢不插入正確的值到數據庫

2013-02-08 130 views
0

這裏是SQL語句:SQL查詢不插入正確的值到數據庫

SQL = "INSERT INTO MYIMAGES(image_blob, filename, description, filesize, accountnum, rmanum, billol, copiedfilename) VALUES(?, '" 
SQL = SQL & File.Filename & "', '" 
SQL = SQL & Replace(Upload.Form("DESCR"), "'", "''") & "', '" 
SQL = SQL & File.Size & "', '" 
SQL = SQL & Replace(Upload.Form("accountnum"), "'", "''") & "', '" 
SQL = SQL & Replace(Upload.Form("rmanum"), "'", "''") & "', '" 
SQL = SQL & Replace(Upload.Form("billol"), "'", "''") & "', " 
SQL = SQL & Replace(Upload.Form("accountnum"), "'", "''") & "-" & Replace(Upload.Form("rmanum"), "'", "''") & ")"

accountnum = 3456345 rmanum = 345234

在被輸入數據庫中的值是3111111什麼,我希望它是是3456345-345234

該列的數據類型是varchar(255) - 我在做什麼錯?

來源

2013-02-08 user7954

+3

[SQL注入](http://en.wikipedia.org/wiki/SQL_injection),有人嗎? – Oded 2013-02-08 20:35:01

+0

如果輸出sql變量,它看起來像什麼?另外,你在說什麼領域? – 2013-02-08 20:36:18

+0

對不起,這是最後一個,複製文件名字段 – user7954 2013-02-08 20:37:57

回答

3

如果使用SQL參數就可以避免REPLACE以及任何SQL注入

例如:

更改SQL語句

INSERT INTO MYIMAGES(image_blob, filename, description, filesize, 
    accountnum, rmanum, billol, copiedfilename) 
VALUES(@p1, @p2, @p3,@p4,@p5, @p6, @p7,@p8)

然後做

cmd.Parameters.AddWithValue("@p2",File.Filename) 
cmd.Parameters.AddWithValue("@p3",Upload.Form("DESCR"))

....

//this will insert correct data 
cmd.Parameters.AddWithValue("@p8",Upload.Form("accountnum") & "-" & 
            Upload.Form("rmanum"))

基於OP評論更新時間: 對於ASP試試這個

dim cmd, rs, param1, param2, param3, param4, param5,param6, param7, param8 
set cmd = server.CreateObject("adodb.command") 
strCmd = "INSERT INTO MYIMAGES(image_blob, filename, description, 
      filesize, accountnum, rmanum, billol, copiedfilename) 
      VALUES(?,?,?,?,?,?,?,?)" 
Set cmd.ActiveConnection = objConn 
cmd.CommandText = strCmd 
cmd.CommandType = adCmdText 
Set param1 = cmd.CreateParameter ("image_blob", adWChar, adParamInput, 50) 
param1.value = image_blob 
cmd.Parameters.Append param1 
.... 
Set param8 = cmd.CreateParameter ("copiedfilename", adWChar, adParamInput, 50) 
param8.value = Upload.Form("accountnum") & "-" & Upload.Form("rmanum") 
cmd.Parameters.Append param8 
Set rs = cmd.Execute()

來源

2013-02-08 20:38:31

+0

太棒了,我會用這個。謝謝全部 – user7954 2013-02-08 20:42:49

+0

請記住標記爲答案。 – 2013-02-08 20:46:46

+0

這是說對象需要:'cmd',當我嘗試提交表單。我需要先創建一個命令對象?這是一個經典的ASP文件btw – user7954 2013-02-08 21:17:55

0

試試這個:

SQL = "INSERT INTO MYIMAGES(image_blob, filename, description, filesize, accountnum, rmanum, billol, copiedfilename) VALUES(?, '" 
SQL = SQL & File.Filename & "', '" 
SQL = SQL & Replace(Upload.Form("DESCR"), "'", "''") & "', '" 
SQL = SQL & File.Size & "', '" 
SQL = SQL & Replace(Upload.Form("accountnum"), "'", "''") & "', '" 
SQL = SQL & Replace(Upload.Form("rmanum"), "'", "''") & "', '" 
SQL = SQL & Replace(Upload.Form("billol"), "'", "''") & "', '" 
SQL = SQL & Replace(Upload.Form("accountnum"), "'", "''") & "-" & Replace(Upload.Form("rmanum"), "'", "''") & "')"

我剛纔把'到begginning和最後一個值的結束,這樣纔不會被解釋爲一個數學表達式

是:

3456345-345234 = 3111111

來源

2013-02-08 20:37:19 Noxthron

相關問題

 相關問題