[英]How to filter data parsed from database using ASP
I've recently got my hands on an ASP project that was quite a mess.我最近接触了一个非常混乱的 ASP 项目。 I'm not familiar with the language but after spending some time searching the Internet I've managed to learn it but I'm still unfamiliar with the database queries etc.我不熟悉该语言,但在花了一些时间搜索互联网后,我设法学习了它,但我仍然不熟悉数据库查询等。
So here's the problem, I've got this code that gets data from an MS Access database file.所以这就是问题所在,我有这段代码可以从 MS Access 数据库文件中获取数据。 What I want is to filter this data based on the post/get parameters passed.我想要的是根据传递的 post/get 参数过滤这些数据。
Here's the code I have so far:这是我到目前为止的代码:
sql = "SELECT * FROM tyres"
if len(brand1) > 2 then
sql = sql & " WHERE brand = '" & brand1 & "' AND application = '" & season1 & "'"
if len(brand2) > 2 then
sql = sql & " or brand = '" & brand2 & "' AND application = '" & season2 & "'"
if len(brand3) > 2 then
sql = sql & " or brand = '" & brand3 & "' AND application = '" & season3 & "'"
if len(brand4) > 2 then
sql = sql & " or brand = '" & brand4 & "' AND application = '" & season4 & "'"
if len(brand5) > 2 then
sql = sql & " or brand = '" & brand5 & "' AND application = '" & season5 & "'"
set Dataconn = Server.CreateObject("ADODB.Connection")
Dataconn.Open "database-in"
set DataTable = Server.CreateObject("ADODB.recordset")
DataTable.Open sql, Dataconn
And it doesn't seems to work.它似乎不起作用。 Note that the user is able to insert up to 5 (as you can see) different parameters in order to search for the products in the db.请注意,用户最多可以插入 5 个(如您所见)不同的参数,以便在数据库中搜索产品。 So if you have any further info on how to make this work feel free to suggest.因此,如果您对如何使这项工作有任何进一步的信息,请随时提出建议。
It is highly unwise to create SQL from string concatenation, and even right-out dangerous if those strings partly come from user input.从字符串连接创建 SQL 是非常不明智的,如果这些字符串部分来自用户输入,甚至完全危险。
Database libraries such as ADODB have commands and parameters for this situation. ADODB 等数据库库有针对这种情况的命令和参数。 They use a fixed SQL string with placeholders and the library makes sure that nothing bad can happen, no matter what the user-supplied values may be.他们使用带有占位符的固定 SQL 字符串,并且库确保不会发生任何不好的事情,无论用户提供的值是什么。
This also means we can prepare an SQL statement up-front and re-use it many times throughout the lifetime of the page.这也意味着我们可以预先准备 SQL 语句,并在页面的整个生命周期内多次重复使用它。
Dim Conn ' As ADODB.Connection
Dim Cmd ' As ADODB.Command
Set Conn = Server.CreateObject("ADODB.Connection")
Set Cmd = Server.CreateObject("ADODB.Command")
Conn.Open "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=D:\path\to\your\database.accdb;"
' prepare a reusable command with parameters (i.e. placeholders)
With Cmd
Set .ActiveConnection = Conn
.CommandType = adCmdText
.CommandText = "SELECT Field1, Field2, Field3 WHERE brand = @brand AND application = @season"
' set up the parameters for each placeholder
' - use proper datatypes here, as per your DB
' - varchar types need a defined length
.Parameters.Append .CreateParameter("@brand", adVarChar, , 50)
.Parameters.Append .CreateParameter("@season", adVarChar, , 100)
End With
' helper function that operates the Command object and returns a RecordSet
Function SearchTyres(brand, season)
Cmd.Parameters("@brand", brand)
Cmd.Parameters("@season", season)
Set SearchTyres = Cmd.Execute
End With
It's convenient to be able to use the ADODB-specific constants such as adCmdText
or adVarChar
in your code.能够在代码中使用特定于 ADODB 的常量(例如adCmdText
或adVarChar
)很方便。 To have them available anywhere without fuss, you need to declare the ADODB type library in your global.asa
file (create one if you don't have it), adding this to the top of the file:为了让它们在任何地方都可用,您需要在global.asa
文件中声明 ADODB 类型库(如果没有,请创建一个),将其添加到文件顶部:
<!--metadata
type="TypeLib"
name="Microsoft ActiveX Data Objects 6.1 Library"
uuid="B691E011-1797-432E-907A-4D8C69339129"
version="6.1"
-->
Now you can use this in your page, for example:现在您可以在页面中使用它,例如:
If Len(brand1) > 2 Then
With SearchTyres(brand1, season1)
' ...let's do something with the RecordSet
While Not .EOF
Response.Write Server.HTMLEncode(!Field1) & "<br>"
.MoveNext
Wend
End With
End If
Notes笔记
SELECT *
- always write out the fields you want to have.不要做SELECT *
- 总是写出你想要的字段。adVarChar
yourself, and that's much more hassle than it's worth.声明类型库并不是绝对必要的,但如果你不这样做,那么你必须自己定义所有常量,比如adVarChar
,这比它的价值要麻烦得多。 With SearchTyres(...)
is convenience shorthand for With SearchTyres(...)
是方便的简写
Dim Rs Set Rs = SearchTyres(...) With Rs '... End With
Rs!Field1
is convenience shorthand for Rs.Fields("Field1")
. Rs!Field1
是Rs.Fields("Field1")
的便捷简写。 Inside a With Rs
block, the Rs
itself is optional, so a plain !Field1
is actually meaningful.在With Rs
块中, Rs
本身是可选的,所以一个普通的!Field1
实际上是有意义的。
Since everyone else is busy bashing you instead of actually answering your question of how to build your sql string:由于其他人都在忙着抨击您,而不是真正回答您如何构建 sql 字符串的问题:
<%
SqlStr = "SELECT * FROM Tyres WHERE 1 = 1 "
If Len(brand1) > 2 OR Len(brand2) > 2 OR Len(brand3) > 2 OR Len(brand4) > 2 OR Len(brand5) > 2 Then
BrandInStr = " AND brand IN("
If Len(brand1) > 2 Then
BrandInStr = BrandInStr & "'" & brand1 & "',"
End If
If Len(brand2) > 2 Then
BrandInStr = BrandInStr & "'" & brand2 & "',"
End If
If Len(brand3) > 2 Then
BrandInStr = BrandInStr & "'" & brand3 & "',"
End If
If Len(brand4) > 2 Then
BrandInStr = BrandInStr & "'" & brand4 & "',"
End If
If Len(brand5) > 2 Then
BrandInStr = BrandInStr & "'" & brand5 & "',"
End If
BrandInStr = Left(BrandInStr,Len(BrandInStr)-1)
BrandInStr = BrandInStr & ") "
End If
If Len(season1) > 2 OR Len(season2) > 2 OR Len(season3) > 2 OR Len(season4) > 2 OR Len(season5) > 2 Then
SeasonInStr = " AND Season IN("
If Len(Season1) > 2 Then
SeasonInStr = SeasonInStr & "'" & Season1 & "',"
End If
If Len(Season2) > 2 Then
SeasonInStr = SeasonInStr & "'" & Season2 & "',"
End If
If Len(Season3) > 2 Then
SeasonInStr = SeasonInStr & "'" & Season3 & "',"
End If
If Len(Season4) > 2 Then
SeasonInStr = SeasonInStr & "'" & Season4 & "',"
End If
If Len(Season5) > 2 Then
SeasonInStr = SeasonInStr & "'" & Season5 & "',"
End If
SeasonInStr = Left(SeasonInStr,Len(SeasonInStr)-1)
SeasonInStr = SeasonInStr & ") "
End If
SqlStr = SqlStr & BrandInStr & " " & SeasonInStr
%>
However if your variables are passed as a single comma delimeted string (instead of numbered) it would be much easier但是,如果您的变量作为单个逗号分隔的字符串(而不是编号)传递,它会容易得多
<%
SqlStr = "SELECT * FROM Tyres WHERE 1 = 1 "
If Len(Trim(Replace(Replace(Brand," ",""),",","") > 0 Then
SqlStr = SqlStr & "AND Brand In('" & Replace(Brand,",","','") & "') "
End If
If Len(Trim(Replace(Replace(Season," ",""),",","") > 0 Then
SqlStr = SqlStr & "AND Season In('" & Replace(Season,",","','") & "') "
End If
%>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.