Sql 有人能告诉我这句话有什么不对吗?
我用它在我的表中插入了一些东西,它一直给我这个错误: Microsoft VBScript compilation error '800a03ee' Expected ')' /thanks.asp, line 63 Set rstSimple = cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode) VALUES ('"Request.QueryString("payer_email") & "', '" & Request.QueryString("payer_email") & "', '" & Request.QueryString("first_name") & "', '" & Request.QueryString("last_name") & "', '" & Request.QueryString("hash")"')) ---------------------------------------------------------------------------------------------------------------------^ 有人能帮我吗Sql 有人能告诉我这句话有什么不对吗?,sql,asp-classic,vbscript,Sql,Asp Classic,Vbscript,我用它在我的表中插入了一些东西,它一直给我这个错误: Microsoft VBScript compilation error '800a03ee' Expected ')' /thanks.asp, line 63 Set rstSimple = cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode) VALUES ('"Request.QueryString("pa
谢谢您这里有一个缺少的
&VALUES ('"Request.QueryString("payer_email") & "'
VALUES ('" & Request.QueryString("payer_email") & "'
Request.QueryString("hash") & "')")
&“VALUES ('" & Request.QueryString("payer_email") & "'
Request.QueryString("hash") & "')")
cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode) VALUES ('" & Request.QueryString("payer_email") & "', '" & Request.QueryString("payer_email") & "', '" & Request.QueryString("first_name") & "', '" & Request.QueryString("last_name") & "', '" & Request.QueryString("hash") & "')")
似乎存在与括号相关的语法错误。
该行末尾的2个括号看起来有点可疑。缺少的符号和引号可能是您遇到的最小问题
看起来您并没有以任何方式清理字符串。字符串可能包含未转义的单引号。您可以接受SQL注入,因为您没有使用参数。我建议按如下方式分解代码,使其可读性和可理解性更好:
Dim execSql
execSql = "insert into SALT (Email, Username, FirstName, LastName, ActivationCode)"
execSql = execSql & " VALUES ('"
execSql = execSql & Request.QueryString("payer_email")
execSql = execSql & "', '"
execSql = execSql & Request.QueryString("payer_email")
execSql = execSql & "', '"
execSql = execSql & Request.QueryString("first_name")
execSql = execSql & "', '"
execSql = execSql & Request.QueryString("last_name")
execSql = execSql & "', '"
execSql = execSql & Request.QueryString("hash")
execSql = execSql & "')"
Set rstSimple = cnnSimple.Execute(execSql)
编辑SQL注入和安全性 正如其他人已经提到的,您的代码极易受到SQL注入攻击。即使没有攻击(即删除您的数据库)的意思,如果某人的名字是
d'Amourin't HuysSet dbCommand = Server.CreateObject("ADODB.Command")
Set dbCommand.ActiveConnection = cnnSimple
dbCommand.CommandType = adCmdText
dbCommand.CommandText = _
"INSERT INTO SALT (Email, Username, FirstName, LastName, ActivationCode) " + _
"VALUES (@email, @user, @firstname, @lastname, @code)"
With dbCommand.Parameters
.Add("email", adVarChar, adParamInput, , Request.QueryString("payer_email"))
.Add("user", adVarChar, adParamInput, , Request.QueryString("payer_email"))
.Add("firstname", adVarChar, adParamInput, , Request.QueryString("first_name"))
.Add("lastname", adVarChar, adParamInput, , Request.QueryString("last_name"))
.Add("code", adVarChar, adParamInput, , Request.QueryString("hash"))
End With
Set rstSimple = dbCommand.Execute()
adVarCharadParamInput有关更多信息,请参见Google上的“SQL注入ASP”或“SQL准备语句经典ASP”,它应该会给您带来一些帮助。Um,我在其中添加了与上面类似的&但现在它显示:Microsoft VBScript编译错误“800a0409”未终止字符串常量/Thank.ASP,第63行Set rstSimple=cnnSimple.Execute(“插入到SALT中”)(电子邮件、用户名、名字、姓氏、激活码)值(“&Request.QueryString(“payer_Email”)&“,”&Request.QueryString(“payer_Email”)&“,”&Request.QueryString(“first_name”)&“,”&Request.QueryString(“last_name”)&“,”&Request.QueryString(“last_name”)&“,”,“&Request.QueryString(“hash”))-----------------^ @ J-T-S:检查我的更新答案。你也缺少一个引号,正如在另一个答案中提到的@ Alvin Dasasar。J-T-S:有很多其他缺失的引文,在中间的任何地方(但是这个答案的最后陈述似乎是正确的)。检查我的答案(自我推销,哎哟!)了解如何使您的代码稍微不易出错并更容易发现错误。其他人展示了类似的方法以使您的代码可读;-)。我刚刚尝试了此答案的最后一个示例,现在它显示:Microsoft VBScript运行时错误'800a01a8'所需对象:'@j-t-s:可能在设置
cnnSimple&UserNameEmailDim