Fatal编程技术网
  • oracle/
  • 甲骨文错误“;针对Oracle的Microsoft OLE DB提供程序错误';80040e14';ORA-00936:缺少表达式/secure/databook/behandl_-databook.asp,第49行“; %@Languag

甲骨文错误“;针对Oracle的Microsoft OLE DB提供程序错误';80040e14';ORA-00936:缺少表达式/secure/databook/behandl_-databook.asp,第49行“; %@Languag

oracle

甲骨文错误“;针对Oracle的Microsoft OLE DB提供程序错误';80040e14';ORA-00936:缺少表达式/secure/databook/behandl_-databook.asp,第49行“; %@Languag,oracle,Oracle,甲骨文错误“;针对Oracle的Microsoft OLE DB提供程序错误';80040e14';ORA-00936:缺少表达式/secure/databook/behandl_-databook.asp,第49行“; %@Language=VBScript%> 好的,然后打印出sSQL的值,并在sql客户机中运行它,以查看完整的构造sql语句。如果调试显示的是aktfilid值,那么Session(“kundenummer”)是否会为空?但是是的,打印/记录正在执行的实际命令

甲骨文错误“;针对Oracle的Microsoft OLE DB提供程序错误';80040e14';ORA-00936:缺少表达式/secure/databook/behandl_-databook.asp,第49行“; 
%@Language=VBScript%>

好的,然后打印出sSQL的值,并在sql客户机中运行它,以查看完整的构造sql语句。如果调试显示的是
aktfilid
值,那么
Session(“kundenummer”)
是否会为空?但是是的,打印/记录正在执行的实际命令将很快发现错误。既然您似乎没有任何绑定变量,那么您正在设置哪些参数?既然您是从用户输入构建命令,那么您如何防止注入呢?

%@ Language=VBScript %>
<% option explicit %>
<!-- #include virtual="/secure/inc/logged_on.asp" -->
<!-- #include virtual="/secure/inc/resettimer.asp" -->
<!-- #include virtual="/secure/databoks/inc/open_dbox_db.asp" -->
<!-- #include virtual="/secure/inc/functions.asp" -->
<!-- #include virtual="/secure/databoks/inc/dbox_functions.asp" -->
<!-- #include file="adovbs.inc" -->
<!-- #include virtual="/secure/inc/security_functions.asp" -->  <% ' #2758 %>
<%
Dim setkomma
Dim aktfilid
Dim sSQL
Dim item

If Request.Form("slettet") <> "" Then
    sSQL = "UPDATE dbox_files SET slettet = sysdate WHERE kundenr = " &     Session("kundenummer") & " and brugernr = '" & Session("rkibrugernummer") & "' and slettet       is null and filid in("

setkomma = false


    For Each item In Request.Form("slettet")    
        aktfilid = trim(item)
      session("_logger").debug "asp.databoks/behandl_databoks", "(1) aktfilid: " &     aktfilid
            If setkomma Then
                sSQL = sSQL & ","
            End if
            sSQL = sSQL & aktfilid
            setkomma = true
    Next
    sSQL = sSQL & ")"


    Dim objCmd
    Dim Rec
    const adCmdText = &H0001
    Const adVarChar = 200
    Const adParamInput =  &H0001
    set objCmd = server.CreateObject("ADODB.Command")
        objCmd.ActiveConnection = DBoxConn
        objCmd.CommandType =adCmdText
        objCmd.CommandText=sSQL

        objCmd.parameters.append objCmd.CreateParameter("@kundenummer", adVarChar,     adParamInput, 150, Session("kundenummer"))
        objCmd.parameters.append objCmd.CreateParameter("@rkibrugernummer", adVarChar,     adParamInput, 150, Session("rkibrugernummer"))
        For populating recordset do the following:
        Set recordsetobject = .Execute
            Set Rec = objCmd.Execute()
       While NOT Rec.EOF
            Rec.MoveNext
        Wend
        Set objCmd = Nothing

         End If