ASP变量SQL错误
我试图使用ASP变量来确定sql的排序方式 ASP SQL错误行:ASP变量SQL错误,sql,asp-classic,ado,Sql,Asp Classic,Ado,我试图使用ASP变量来确定sql的排序方式 ASP SQL错误行: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Text Driver] Syntax error (missing operator) in query expression '& supplier_name &'. /junk/airsearch/search.htm, line 106 相关行:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Text Driver] Syntax error (missing operator) in query expression '& supplier_name &'.
/junk/airsearch/search.htm, line 106
相关行:
conDB = "SELECT * FROM mul.csv WHERE ucase(supplier_name) LIKE ucase('%"+src_supplier_name+"%') AND ucase(aircraft_type) LIKE ucase('%"+src_aircraft_type+"%') ORDER BY & src_order & "
ASP代码:
<%
Dim connectString, connect, conDB, sconDB, lDB, con, scon, lcon, src_ccn, src_state, src_order
connectString = "Driver={Microsoft Text Driver (*.txt; *.csv)}; DBQ=" & Server.MapPath("data")
src_supplier_name = Request.QueryString("supplier_name")
src_aircraft_type = Request.QueryString("aircraft_type")
src_state = Request.QueryString("state")
src_order = "supplier_name"
set connect = Server.CreateObject("ADODB.connection")
connect.open connectString
if src_state = "" then
conDB = "SELECT * FROM mul.csv WHERE ucase(supplier_name) LIKE ucase('%"+src_supplier_name+"%') AND ucase(aircraft_type) LIKE ucase('%"+src_aircraft_type+"%') "
lDB = "SELECT * FROM mul.csv WHERE ucase(supplier_name) LIKE ucase('%"+src_supplier_name+"%')"
elseif src_state = "any" then
conDB = "SELECT * FROM mul.csv WHERE ucase(supplier_name) LIKE ucase('%"+src_supplier_name+"%') AND ucase(aircraft_type) LIKE ucase('%"+src_aircraft_type+"%') ORDER BY & src_order & "
lDB = "SELECT * FROM mul.csv WHERE ucase(supplier_name) LIKE ucase('%"+src_supplier_name+"%') AND ucase(aircraft_type) LIKE ucase('%"+src_aircraft_type+"%') ORDER BY & src_order & "
else
conDB = " SELECT * FROM mul.csv WHERE ucase(state) LIKE ucase('%"+src_state+"%') AND ucase(supplier_name) LIKE ucase('%"+src_supplier_name+"%') AND ucase(aircraft_type) LIKE ucase('%"+src_aircraft_type+"%')"
lDB = " SELECT * FROM mul.csv WHERE ucase(state) LIKE ucase('%"+src_state+"%') AND ucase(supplier_name) LIKE ucase('%"+src_supplier_name+"%') AND ucase(aircraft_type) LIKE ucase('%"+src_aircraft_type+"%')"
end if
sconDB = "SELECT * FROM mul.csv"
set con = connect.execute(conDB)
set scon = connect.execute(sconDB)
set lcon = connect.execute(lDB)
%>
尝试这样修改:
conDB = "SELECT * FROM mul.csv WHERE ucase(supplier_name) LIKE ucase('%" & src_supplier_name & "%') AND ucase(aircraft_type) LIKE ucase('%" & src_aircraft_type & "%') ORDER BY " & src_order
整个sql语句不应该有一个“结尾”吗?@sephiith sql不关心这个。vb代码中的字符串文本应该有一个“结尾”<代码>%')ORDER BY是字符串文字
src_order
不是。SQL注入在此上下文中值得一提。您对src_状态、src_供应商名称和src_飞机类型所做的操作使您的代码容易受到SQL注入攻击。你简直是在乞求被黑客攻击。