SQL查询未向数据库插入正确的值
下面是SQL语句:SQL查询未向数据库插入正确的值,sql,sql-server,database,Sql,Sql Server,Database,下面是SQL语句: SQL = "INSERT INTO MYIMAGES(image_blob, filename, description, filesize, accountnum, rmanum, billol, copiedfilename) VALUES(?, '" SQL = SQL & File.Filename & "', '" SQL = SQL & Replace(Upload.Form("DESCR"), "'", "''") & "',
SQL = "INSERT INTO MYIMAGES(image_blob, filename, description, filesize, accountnum, rmanum, billol, copiedfilename) VALUES(?, '"
SQL = SQL & File.Filename & "', '"
SQL = SQL & Replace(Upload.Form("DESCR"), "'", "''") & "', '"
SQL = SQL & File.Size & "', '"
SQL = SQL & Replace(Upload.Form("accountnum"), "'", "''") & "', '"
SQL = SQL & Replace(Upload.Form("rmanum"), "'", "''") & "', '"
SQL = SQL & Replace(Upload.Form("billol"), "'", "''") & "', "
SQL = SQL & Replace(Upload.Form("accountnum"), "'", "''") & "-" & Replace(Upload.Form("rmanum"), "'", "''") & ")"
accountnum=3456345 rmanum=345234
在数据库中输入的值是3111111
我希望它是3456345-345234
该列的数据类型是varchar(255)
-我做错了什么??尝试以下方法:
SQL = "INSERT INTO MYIMAGES(image_blob, filename, description, filesize, accountnum, rmanum, billol, copiedfilename) VALUES(?, '"
SQL = SQL & File.Filename & "', '"
SQL = SQL & Replace(Upload.Form("DESCR"), "'", "''") & "', '"
SQL = SQL & File.Size & "', '"
SQL = SQL & Replace(Upload.Form("accountnum"), "'", "''") & "', '"
SQL = SQL & Replace(Upload.Form("rmanum"), "'", "''") & "', '"
SQL = SQL & Replace(Upload.Form("billol"), "'", "''") & "', '"
SQL = SQL & Replace(Upload.Form("accountnum"), "'", "''") & "-" & Replace(Upload.Form("rmanum"), "'", "''") & "')"
我刚刚把'的最后一个值的行将结束,这样它就不会被解释为一个数学表达式
即:
3456345-345234 = 3111111
试试这个:
SQL = "INSERT INTO MYIMAGES(image_blob, filename, description, filesize, accountnum, rmanum, billol, copiedfilename) VALUES(?, '"
SQL = SQL & File.Filename & "', '"
SQL = SQL & Replace(Upload.Form("DESCR"), "'", "''") & "', '"
SQL = SQL & File.Size & "', '"
SQL = SQL & Replace(Upload.Form("accountnum"), "'", "''") & "', '"
SQL = SQL & Replace(Upload.Form("rmanum"), "'", "''") & "', '"
SQL = SQL & Replace(Upload.Form("billol"), "'", "''") & "', '"
SQL = SQL & Replace(Upload.Form("accountnum"), "'", "''") & "-" & Replace(Upload.Form("rmanum"), "'", "''") & "')"
我刚刚把'的最后一个值的行将结束,这样它就不会被解释为一个数学表达式
即:
3456345-345234 = 3111111
如果使用sql参数,可以避免
REPLACE
以及任何sql注入
例:
将sql语句更改为
INSERT INTO MYIMAGES(image_blob, filename, description, filesize,
accountnum, rmanum, billol, copiedfilename)
VALUES(@p1, @p2, @p3,@p4,@p5, @p6, @p7,@p8)
那就做吧
cmd.Parameters.AddWithValue("@p2",File.Filename)
cmd.Parameters.AddWithValue("@p3",Upload.Form("DESCR"))
根据OP评论更新:
对于ASP,请尝试此选项
dim cmd, rs, param1, param2, param3, param4, param5,param6, param7, param8
set cmd = server.CreateObject("adodb.command")
strCmd = "INSERT INTO MYIMAGES(image_blob, filename, description,
filesize, accountnum, rmanum, billol, copiedfilename)
VALUES(?,?,?,?,?,?,?,?)"
Set cmd.ActiveConnection = objConn
cmd.CommandText = strCmd
cmd.CommandType = adCmdText
Set param1 = cmd.CreateParameter ("image_blob", adWChar, adParamInput, 50)
param1.value = image_blob
cmd.Parameters.Append param1
....
Set param8 = cmd.CreateParameter ("copiedfilename", adWChar, adParamInput, 50)
param8.value = Upload.Form("accountnum") & "-" & Upload.Form("rmanum")
cmd.Parameters.Append param8
Set rs = cmd.Execute()
如果使用sql参数,可以避免
REPLACE
以及任何sql注入
例:
将sql语句更改为
INSERT INTO MYIMAGES(image_blob, filename, description, filesize,
accountnum, rmanum, billol, copiedfilename)
VALUES(@p1, @p2, @p3,@p4,@p5, @p6, @p7,@p8)
那就做吧
cmd.Parameters.AddWithValue("@p2",File.Filename)
cmd.Parameters.AddWithValue("@p3",Upload.Form("DESCR"))
根据OP评论更新:
对于ASP,请尝试此选项
dim cmd, rs, param1, param2, param3, param4, param5,param6, param7, param8
set cmd = server.CreateObject("adodb.command")
strCmd = "INSERT INTO MYIMAGES(image_blob, filename, description,
filesize, accountnum, rmanum, billol, copiedfilename)
VALUES(?,?,?,?,?,?,?,?)"
Set cmd.ActiveConnection = objConn
cmd.CommandText = strCmd
cmd.CommandType = adCmdText
Set param1 = cmd.CreateParameter ("image_blob", adWChar, adParamInput, 50)
param1.value = image_blob
cmd.Parameters.Append param1
....
Set param8 = cmd.CreateParameter ("copiedfilename", adWChar, adParamInput, 50)
param8.value = Upload.Form("accountnum") & "-" & Upload.Form("rmanum")
cmd.Parameters.Append param8
Set rs = cmd.Execute()
,有人吗?如果输出sql变量,它是什么样子的?还有,你说的是什么字段?对不起,这是最后一个字段,copiedfilename字段,还有其他字段吗?如果你输出sql变量,它是什么样子的?还有,你在说什么字段?对不起,这是最后一个字段,copiedfilename字段太棒了,我选择这个字段。谢谢allIt在我提交表单时说objectrequired:'cmd'。我需要先创建一个命令对象吗?这是一个经典的ASP文件btw@user7954,是的,你需要创建命令对象,检查我的更新答案。太棒了,我会用这个。谢谢allIt在我提交表单时说objectrequired:'cmd'。我需要先创建一个命令对象吗?这是一个经典的ASP文件btw@user7954,是您需要创建命令对象,请检查我的更新答案