行var connection = new ActiveXObject(“ ADODB.Connection”)是什么? 是什么意思,为什么不起作用?
[英]what does the line var connection = new ActiveXObject(“ADODB.Connection”); mean and why doesn't it work?
问题描述
I have found a code in net, and there is a code line there, which I don't undersand it meaning and what does it do. 
我在net中找到了一个代码,并且那里有一个代码行,我不明白它的含义和作用。 Moreover the line doesn't work. 此外,该行不起作用。 Can anyone help? 有人可以帮忙吗?
the code- 编码-
var connection = new ActiveXObject("ADODB.Connection"); /*the line*/
var connectionstring = "Data Source=srvp7rnd-herm;Initial Catalog=hermes;User ID=hermes;Password=hermes;Provider=SQLOLEDB";
connection.Open(connectionstring);
/* JavaScript obect to access a SQL query's results */
var rs = new ActiveXObject("ADODB.Recordset");
/* Getting the current MAX(id) from the database */
rs.Open("SELECT MAX(id) FROM Screen_Template", connection);
rs.MoveFirst;
var maxID = rs.Fields.Item(0);
maxID = maxID + 1;
/* TODO: Get the last UID */
var sql = "INSERT INTO Screen_Template(template_name, OpCo, env, template_xml, language, id, title, role, UID) VALUES (" + templateName + "," + opco + "," + env + "," + "<hello>hello</hello>" + ",eng," + maxID + ",Hermes SMS message composer," + "manag, 10)";
alert(sql);
rs.Open(sql, connection);
/* Closing the connections */
rs.close;
connection.close;
1 个解决方案
解决方案1
4 已采纳 2014-04-03 08:08:56
The code you are looking at is either javascript, or Microsoft-flavoured jscript . 您正在查看的代码是javascript或Microsoft风格的jscript 。 The code can be either server side in ASP-Classic ( Jscript was an option here, albeit unusual - most coded server side in VB Script ), however, given that there is an alert half way through the page, it is likely that intended for client side , on a browser. 该代码可以是ASP-Classic中的任一服务器端(这里是Jscript的选项,尽管不寻常VB Script大多数编码的服务器端),但是,由于在页面中间出现了alert ,因此可能客户端 ,在浏览器上。
The lines 线
var connection = new ActiveXObject("ADODB.Connection");
and 和
var rs = new ActiveXObject("ADODB.Recordset");
attempt to create an Active X component (aka Component Object Model, or COM) of ADODB.Connection and ADODB.Recordset , respectively, and then use these to insert data into the database. 尝试分别创建ADODB.Connection和ADODB.Recordset的Active X组件(即Component Object Model,或COM),然后使用它们将数据插入数据库。 You can get reference to these here , although not that most of the reference is in VB :( 您可以在这里获得这些参考,尽管并不是大多数参考都在VB中:(
So here is a list of some of the possible issues: 因此,这里列出了一些可能的问题:
- The code will only ever run in IE browsers 该代码只能在IE浏览器中运行
- You may need to download and install the COM components - ADO is installed via
MDAC- Download here您可能需要下载并安装COM组件-通过MDAC安装MDAC在此处下载 - You may need to run IE as an Administrator 您可能需要以管理员身份运行IE
- You may need to open all sorts of security loopholes in IE (ActiveX controls, safe for scripting etc) 您可能需要在IE中打开各种安全漏洞 (ActiveX控件,脚本编写安全等)
If you enable script debugging on the browser you'll get more info on the actual issue. 如果在浏览器上启用脚本调试,则将获得有关实际问题的更多信息。
I guess I need to point a couple of other major issues: 我想我需要指出其他两个主要问题:
- The concatenated sql string is prone to sql injection attacks (although obviously anyone viewing the page source can do whatever they like to the database anyway) - parameterization is the solution here. 串联的sql字符串容易受到sql注入攻击(尽管显然,任何查看页面源代码的人都可以对数据库进行任何操作)-参数化是这里的解决方案。
-
SELECT Max(ID), incrementing, and inserting isn't concurrent safe - the solution here is to use anIDENTITYorGUIDSELECT Max(ID),递增和插入不是并发安全的-这里的解决方案是使用IDENTITY或GUID
However, all that said, this is obsolete technology, a security nightmare, and architecturally just plain wrong IMO - possibly you can convince your school to redesign the code using a more modern technology stack? 但是,所有这一切都是过时的技术,一场安全噩梦,并且在架构上完全是错误的IMO-也许您可以说服您的学校使用更现代的技术堆栈来重新设计代码? (Sorry to be the bearer of bad news) (很抱歉成为坏消息的承担者)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.