Warning: file_get_contents(/data/phpspider/zhask/data//catemap/5/sql/85.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
SQL查询未向数据库插入正确的值_Sql_Sql Server_Database - Fatal编程技术网
Fatal编程技术网
  • sql/
  • SQL查询未向数据库插入正确的值

SQL查询未向数据库插入正确的值

sql sql-server database

SQL查询未向数据库插入正确的值,sql,sql-server,database,Sql,Sql Server,Database,下面是SQL语句: SQL = "INSERT INTO MYIMAGES(image_blob, filename, description, filesize, accountnum, rmanum, billol, copiedfilename) VALUES(?, '" SQL = SQL & File.Filename & "', '" SQL = SQL & Replace(Upload.Form("DESCR"), "'", "''") & "',

下面是SQL语句:

SQL = "INSERT INTO MYIMAGES(image_blob, filename, description, filesize, accountnum, rmanum, billol, copiedfilename) VALUES(?, '"
SQL = SQL & File.Filename & "', '"
SQL = SQL & Replace(Upload.Form("DESCR"), "'", "''") & "', '"
SQL = SQL & File.Size & "', '"
SQL = SQL & Replace(Upload.Form("accountnum"), "'", "''") & "', '"
SQL = SQL & Replace(Upload.Form("rmanum"), "'", "''") & "', '"
SQL = SQL & Replace(Upload.Form("billol"), "'", "''") & "', "
SQL = SQL & Replace(Upload.Form("accountnum"), "'", "''") & "-" & Replace(Upload.Form("rmanum"), "'", "''") & ")"
accountnum=3456345 rmanum=345234

在数据库中输入的值是
3111111
我希望它是
3456345-345234

该列的数据类型是
varchar(255)
-我做错了什么??

尝试以下方法:

SQL = "INSERT INTO MYIMAGES(image_blob, filename, description, filesize, accountnum, rmanum, billol, copiedfilename) VALUES(?, '"
SQL = SQL & File.Filename & "', '"
SQL = SQL & Replace(Upload.Form("DESCR"), "'", "''") & "', '"
SQL = SQL & File.Size & "', '"
SQL = SQL & Replace(Upload.Form("accountnum"), "'", "''") & "', '"
SQL = SQL & Replace(Upload.Form("rmanum"), "'", "''") & "', '"
SQL = SQL & Replace(Upload.Form("billol"), "'", "''") & "', '"
SQL = SQL & Replace(Upload.Form("accountnum"), "'", "''") & "-" & Replace(Upload.Form("rmanum"), "'", "''") & "')"
我刚刚把'的最后一个值的行将结束,这样它就不会被解释为一个数学表达式

即:

3456345-345234 = 3111111
试试这个:

SQL = "INSERT INTO MYIMAGES(image_blob, filename, description, filesize, accountnum, rmanum, billol, copiedfilename) VALUES(?, '"
SQL = SQL & File.Filename & "', '"
SQL = SQL & Replace(Upload.Form("DESCR"), "'", "''") & "', '"
SQL = SQL & File.Size & "', '"
SQL = SQL & Replace(Upload.Form("accountnum"), "'", "''") & "', '"
SQL = SQL & Replace(Upload.Form("rmanum"), "'", "''") & "', '"
SQL = SQL & Replace(Upload.Form("billol"), "'", "''") & "', '"
SQL = SQL & Replace(Upload.Form("accountnum"), "'", "''") & "-" & Replace(Upload.Form("rmanum"), "'", "''") & "')"
我刚刚把'的最后一个值的行将结束,这样它就不会被解释为一个数学表达式

即:

3456345-345234 = 3111111
如果使用sql参数,可以避免
REPLACE
以及任何sql注入

例:

将sql语句更改为

INSERT INTO MYIMAGES(image_blob, filename, description, filesize, 
   accountnum, rmanum, billol, copiedfilename) 
VALUES(@p1, @p2, @p3,@p4,@p5, @p6, @p7,@p8)
那就做吧

cmd.Parameters.AddWithValue("@p2",File.Filename)
cmd.Parameters.AddWithValue("@p3",Upload.Form("DESCR"))

根据OP评论更新: 对于ASP,请尝试此选项

dim cmd, rs, param1, param2, param3, param4, param5,param6, param7, param8
set cmd = server.CreateObject("adodb.command")
strCmd = "INSERT INTO MYIMAGES(image_blob, filename, description, 
            filesize, accountnum, rmanum, billol, copiedfilename)
            VALUES(?,?,?,?,?,?,?,?)"
Set cmd.ActiveConnection = objConn
cmd.CommandText = strCmd
cmd.CommandType = adCmdText
Set param1 = cmd.CreateParameter ("image_blob", adWChar, adParamInput, 50)
param1.value = image_blob
cmd.Parameters.Append param1
....
Set param8 = cmd.CreateParameter ("copiedfilename", adWChar, adParamInput, 50)
param8.value = Upload.Form("accountnum") & "-" & Upload.Form("rmanum")
cmd.Parameters.Append param8
Set rs = cmd.Execute()
如果使用sql参数,可以避免
REPLACE
以及任何sql注入

例:

将sql语句更改为

INSERT INTO MYIMAGES(image_blob, filename, description, filesize, 
   accountnum, rmanum, billol, copiedfilename) 
VALUES(@p1, @p2, @p3,@p4,@p5, @p6, @p7,@p8)
那就做吧

cmd.Parameters.AddWithValue("@p2",File.Filename)
cmd.Parameters.AddWithValue("@p3",Upload.Form("DESCR"))

根据OP评论更新: 对于ASP,请尝试此选项

dim cmd, rs, param1, param2, param3, param4, param5,param6, param7, param8
set cmd = server.CreateObject("adodb.command")
strCmd = "INSERT INTO MYIMAGES(image_blob, filename, description, 
            filesize, accountnum, rmanum, billol, copiedfilename)
            VALUES(?,?,?,?,?,?,?,?)"
Set cmd.ActiveConnection = objConn
cmd.CommandText = strCmd
cmd.CommandType = adCmdText
Set param1 = cmd.CreateParameter ("image_blob", adWChar, adParamInput, 50)
param1.value = image_blob
cmd.Parameters.Append param1
....
Set param8 = cmd.CreateParameter ("copiedfilename", adWChar, adParamInput, 50)
param8.value = Upload.Form("accountnum") & "-" & Upload.Form("rmanum")
cmd.Parameters.Append param8
Set rs = cmd.Execute()
,有人吗?如果输出sql变量,它是什么样子的?还有,你说的是什么字段?对不起,这是最后一个字段,copiedfilename字段,还有其他字段吗?如果你输出sql变量,它是什么样子的?还有,你在说什么字段?对不起,这是最后一个字段,copiedfilename字段太棒了,我选择这个字段。谢谢allIt在我提交表单时说objectrequired:'cmd'。我需要先创建一个命令对象吗?这是一个经典的ASP文件btw@user7954,是的,你需要创建命令对象,检查我的更新答案。太棒了,我会用这个。谢谢allIt在我提交表单时说objectrequired:'cmd'。我需要先创建一个命令对象吗?这是一个经典的ASP文件btw@user7954,是您需要创建命令对象,请检查我的更新答案