ASP变量SQL错误_Sql_Asp Classic_Ado

ASP变量SQL错误

sql asp-classic

ASP变量SQL错误,sql,asp-classic,ado,Sql,Asp Classic,Ado,我试图使用ASP变量来确定sql的排序方式 ASP SQL错误行： Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Text Driver] Syntax error (missing operator) in query expression '& supplier_name &'. /junk/airsearch/search.htm, line 106 相关行：

我试图使用ASP变量来确定sql的排序方式

ASP SQL错误行：

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Text Driver] Syntax error (missing operator) in query expression '& supplier_name &'.

/junk/airsearch/search.htm, line 106

相关行：

conDB = "SELECT * FROM mul.csv WHERE ucase(supplier_name) LIKE ucase('%"+src_supplier_name+"%') AND ucase(aircraft_type) LIKE ucase('%"+src_aircraft_type+"%') ORDER BY & src_order & "

ASP代码：

<%
        Dim connectString, connect, conDB, sconDB, lDB, con, scon, lcon, src_ccn, src_state, src_order
        connectString = "Driver={Microsoft Text Driver (*.txt; *.csv)}; DBQ=" & Server.MapPath("data")
              src_supplier_name = Request.QueryString("supplier_name")
              src_aircraft_type = Request.QueryString("aircraft_type")
              src_state = Request.QueryString("state")


            src_order = "supplier_name"


        set connect = Server.CreateObject("ADODB.connection")
        connect.open connectString

        if src_state = "" then
            conDB = "SELECT * FROM mul.csv WHERE ucase(supplier_name) LIKE ucase('%"+src_supplier_name+"%') AND ucase(aircraft_type) LIKE ucase('%"+src_aircraft_type+"%') "   
            lDB = "SELECT * FROM mul.csv WHERE ucase(supplier_name) LIKE ucase('%"+src_supplier_name+"%')" 
        elseif src_state = "any" then
            conDB = "SELECT * FROM mul.csv WHERE ucase(supplier_name) LIKE ucase('%"+src_supplier_name+"%') AND ucase(aircraft_type) LIKE ucase('%"+src_aircraft_type+"%') ORDER BY & src_order & "   
            lDB = "SELECT * FROM mul.csv WHERE ucase(supplier_name) LIKE ucase('%"+src_supplier_name+"%') AND ucase(aircraft_type) LIKE ucase('%"+src_aircraft_type+"%') ORDER BY & src_order & " 
        else 
            conDB = " SELECT * FROM mul.csv WHERE ucase(state) LIKE ucase('%"+src_state+"%') AND ucase(supplier_name) LIKE ucase('%"+src_supplier_name+"%') AND ucase(aircraft_type) LIKE ucase('%"+src_aircraft_type+"%')"
            lDB = " SELECT * FROM mul.csv WHERE ucase(state) LIKE ucase('%"+src_state+"%') AND ucase(supplier_name) LIKE ucase('%"+src_supplier_name+"%') AND ucase(aircraft_type) LIKE ucase('%"+src_aircraft_type+"%')"
        end if

        sconDB = "SELECT * FROM mul.csv"    

        set con = connect.execute(conDB)
        set scon = connect.execute(sconDB)
        set lcon = connect.execute(lDB)
%>

尝试这样修改：

conDB = "SELECT * FROM mul.csv WHERE ucase(supplier_name) LIKE ucase('%" & src_supplier_name & "%') AND ucase(aircraft_type) LIKE ucase('%" & src_aircraft_type & "%') ORDER BY " & src_order

整个sql语句不应该有一个“结尾”吗？@sephiith sql不关心这个。vb代码中的字符串文本应该有一个“结尾”<代码>%'）ORDER BY是字符串文字

src_order

不是。SQL注入在此上下文中值得一提。您对src_状态、src_供应商名称和src_飞机类型所做的操作使您的代码容易受到SQL注入攻击。你简直是在乞求被黑客攻击。