问题
I am having some trouble figuring out how to write classic ASP queries to prevent SQL injection.
I have read a few posts on it and have come up with the following script;
set cmd = server.createobject("ADODB.Command")
SQL = "Select * From tablename Where Email Like ? And Deleted=0"
cmd.ActiveConnection = conn
cmd.CommandText = qText
cmd.CommandType = adCmdText
cmd.CommandTimeout = 900
cmd.Parameters.Append cmd.CreateParameter("@name", adVarchar, adParamInput, 50, "%" & this.Form("email") & "%")
Set rs = cmd.Execute
Every time i run it though, i am getting the following error;
ADODB.Command error '800a0bb9'
Arguments are of the wrong type, are out of acceptable range, or are in conflict with one another.
I have followed the instructions from here https://vikaskanani.wordpress.com/2012/05/07/classic-asp-sql-injection-prevention-by-using-query-parameter/
Any help figuring this would be greatly appreciated.
回答1:
adVarchar, adCmdText and adParamInput are constant values that need to be defined before they can be used. There are a number of ways you can do this:
Define just the constants you require manually:
const adVarChar = 200 const adParamInput = &H0001 const adCmdText = &H0001Use the values directly (this is less readable / maintable and generally not recommended):
cmd.Parameters.Append cmd.CreateParameter("@name", 200, &H0001, 50, "%" & this.Form("email") & "%")Include a
adovbs.incwhich defines all of the ADO constants in a handy include file:<!--#include virtual="/adovbs.inc"-->The adovbs.inc file itself is available for download in lots of places on the web (make sure you give it a quick scan to check it doesn't include anything nasty), the 4GuysFromRolla site being a popular one (download the
.txtlinked and rename it to.inc)Include a reference to the ADO TypeLib:
<!--metadata type="TypeLib" name="Microsoft ActiveX Data Objects 2.8 Library" uuid="{2A75196C-D9EB-4129-B803-931327F72D5C}" version="2.8"-->
来源:https://stackoverflow.com/questions/51476283/using-sql-parameters-returns-arguments-are-of-the-wrong-type