如何使用 ASP 过滤从数据库中解析的数据
[英]How to filter data parsed from database using ASP
问题描述
I've recently got my hands on an ASP project that was quite a mess.
我最近接触了一个非常混乱的 ASP 项目。 I'm not familiar with the language but after spending some time searching the Internet I've managed to learn it but I'm still unfamiliar with the database queries etc.我不熟悉该语言,但在花了一些时间搜索互联网后,我设法学习了它,但我仍然不熟悉数据库查询等。
So here's the problem, I've got this code that gets data from an MS Access database file.所以这就是问题所在,我有这段代码可以从 MS Access 数据库文件中获取数据。 What I want is to filter this data based on the post/get parameters passed.我想要的是根据传递的 post/get 参数过滤这些数据。
Here's the code I have so far:这是我到目前为止的代码:
sql = "SELECT * FROM tyres"
if len(brand1) > 2 then
sql = sql & " WHERE brand = '" & brand1 & "' AND application = '" & season1 & "'"
if len(brand2) > 2 then
sql = sql & " or brand = '" & brand2 & "' AND application = '" & season2 & "'"
if len(brand3) > 2 then
sql = sql & " or brand = '" & brand3 & "' AND application = '" & season3 & "'"
if len(brand4) > 2 then
sql = sql & " or brand = '" & brand4 & "' AND application = '" & season4 & "'"
if len(brand5) > 2 then
sql = sql & " or brand = '" & brand5 & "' AND application = '" & season5 & "'"
set Dataconn = Server.CreateObject("ADODB.Connection")
Dataconn.Open "database-in"
set DataTable = Server.CreateObject("ADODB.recordset")
DataTable.Open sql, Dataconn
And it doesn't seems to work.它似乎不起作用。 Note that the user is able to insert up to 5 (as you can see) different parameters in order to search for the products in the db.请注意,用户最多可以插入 5 个(如您所见)不同的参数,以便在数据库中搜索产品。 So if you have any further info on how to make this work feel free to suggest.因此,如果您对如何使这项工作有任何进一步的信息,请随时提出建议。
2 个解决方案
解决方案1
1 2019-10-07 15:46:46
It is highly unwise to create SQL from string concatenation, and even right-out dangerous if those strings partly come from user input.从字符串连接创建 SQL 是非常不明智的,如果这些字符串部分来自用户输入,甚至完全危险。
Database libraries such as ADODB have commands and parameters for this situation. ADODB 等数据库库有针对这种情况的命令和参数。 They use a fixed SQL string with placeholders and the library makes sure that nothing bad can happen, no matter what the user-supplied values may be.他们使用带有占位符的固定 SQL 字符串,并且库确保不会发生任何不好的事情,无论用户提供的值是什么。
This also means we can prepare an SQL statement up-front and re-use it many times throughout the lifetime of the page.这也意味着我们可以预先准备 SQL 语句,并在页面的整个生命周期内多次重复使用它。
Dim Conn ' As ADODB.Connection
Dim Cmd ' As ADODB.Command
Set Conn = Server.CreateObject("ADODB.Connection")
Set Cmd = Server.CreateObject("ADODB.Command")
Conn.Open "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=D:\path\to\your\database.accdb;"
' prepare a reusable command with parameters (i.e. placeholders)
With Cmd
Set .ActiveConnection = Conn
.CommandType = adCmdText
.CommandText = "SELECT Field1, Field2, Field3 WHERE brand = @brand AND application = @season"
' set up the parameters for each placeholder
' - use proper datatypes here, as per your DB
' - varchar types need a defined length
.Parameters.Append .CreateParameter("@brand", adVarChar, , 50)
.Parameters.Append .CreateParameter("@season", adVarChar, , 100)
End With
' helper function that operates the Command object and returns a RecordSet
Function SearchTyres(brand, season)
Cmd.Parameters("@brand", brand)
Cmd.Parameters("@season", season)
Set SearchTyres = Cmd.Execute
End With
It's convenient to be able to use the ADODB-specific constants such as adCmdText or adVarChar in your code.能够在代码中使用特定于 ADODB 的常量(例如adCmdText或adVarChar )很方便。 To have them available anywhere without fuss, you need to declare the ADODB type library in your global.asa file (create one if you don't have it), adding this to the top of the file:为了让它们在任何地方都可用,您需要在global.asa文件中声明 ADODB 类型库(如果没有,请创建一个),将其添加到文件顶部:
<!--metadata
type="TypeLib"
name="Microsoft ActiveX Data Objects 6.1 Library"
uuid="B691E011-1797-432E-907A-4D8C69339129"
version="6.1"
-->
Now you can use this in your page, for example:现在您可以在页面中使用它,例如:
If Len(brand1) > 2 Then
With SearchTyres(brand1, season1)
' ...let's do something with the RecordSet
While Not .EOF
Response.Write Server.HTMLEncode(!Field1) & "<br>"
.MoveNext
Wend
End With
End If
Notes笔记
- Don't do
SELECT *- always write out the fields you want to have.不要做SELECT *- 总是写出你想要的字段。 - Declaring the type library is not strictly necessary, but if you don't, then you have to define all the constants like
adVarCharyourself, and that's much more hassle than it's worth.声明类型库并不是绝对必要的,但如果你不这样做,那么你必须自己定义所有常量,比如adVarChar,这比它的价值要麻烦得多。 With SearchTyres(...)is convenience shorthand forWith SearchTyres(...)是方便的简写Dim Rs Set Rs = SearchTyres(...) With Rs '... End WithRs!Field1is convenience shorthand forRs.Fields("Field1").Rs!Field1是Rs.Fields("Field1")的便捷简写。 Inside aWith Rsblock, theRsitself is optional, so a plain!Field1is actually meaningful.在With Rs块中,Rs本身是可选的,所以一个普通的!Field1实际上是有意义的。- Lastly, it can help to create code in the VBA IDE of an MS Office product (such as Word).最后,它可以帮助在 MS Office 产品(例如 Word)的 VBA IDE 中创建代码。 Use Tools/References to reference the same ADODB type library.使用工具/引用来引用相同的 ADODB 类型库。 VBA and VBS are not 100 code-compatible, but the VBA IDE has Intellisense, a proper debugger, uses the same objects and code can be transferred to ASP with minimal changes. VBA 和 VBS 不是 100 代码兼容的,但是 VBA IDE 具有 Intellisense,一个适当的调试器,只需最少的更改即可转移到 ASP 中。
解决方案2
-3 2019-10-09 19:26:07
Since everyone else is busy bashing you instead of actually answering your question of how to build your sql string:由于其他人都在忙着抨击您,而不是真正回答您如何构建 sql 字符串的问题:
<%
SqlStr = "SELECT * FROM Tyres WHERE 1 = 1 "
If Len(brand1) > 2 OR Len(brand2) > 2 OR Len(brand3) > 2 OR Len(brand4) > 2 OR Len(brand5) > 2 Then
BrandInStr = " AND brand IN("
If Len(brand1) > 2 Then
BrandInStr = BrandInStr & "'" & brand1 & "',"
End If
If Len(brand2) > 2 Then
BrandInStr = BrandInStr & "'" & brand2 & "',"
End If
If Len(brand3) > 2 Then
BrandInStr = BrandInStr & "'" & brand3 & "',"
End If
If Len(brand4) > 2 Then
BrandInStr = BrandInStr & "'" & brand4 & "',"
End If
If Len(brand5) > 2 Then
BrandInStr = BrandInStr & "'" & brand5 & "',"
End If
BrandInStr = Left(BrandInStr,Len(BrandInStr)-1)
BrandInStr = BrandInStr & ") "
End If
If Len(season1) > 2 OR Len(season2) > 2 OR Len(season3) > 2 OR Len(season4) > 2 OR Len(season5) > 2 Then
SeasonInStr = " AND Season IN("
If Len(Season1) > 2 Then
SeasonInStr = SeasonInStr & "'" & Season1 & "',"
End If
If Len(Season2) > 2 Then
SeasonInStr = SeasonInStr & "'" & Season2 & "',"
End If
If Len(Season3) > 2 Then
SeasonInStr = SeasonInStr & "'" & Season3 & "',"
End If
If Len(Season4) > 2 Then
SeasonInStr = SeasonInStr & "'" & Season4 & "',"
End If
If Len(Season5) > 2 Then
SeasonInStr = SeasonInStr & "'" & Season5 & "',"
End If
SeasonInStr = Left(SeasonInStr,Len(SeasonInStr)-1)
SeasonInStr = SeasonInStr & ") "
End If
SqlStr = SqlStr & BrandInStr & " " & SeasonInStr
%>
However if your variables are passed as a single comma delimeted string (instead of numbered) it would be much easier但是,如果您的变量作为单个逗号分隔的字符串(而不是编号)传递,它会容易得多
<%
SqlStr = "SELECT * FROM Tyres WHERE 1 = 1 "
If Len(Trim(Replace(Replace(Brand," ",""),",","") > 0 Then
SqlStr = SqlStr & "AND Brand In('" & Replace(Brand,",","','") & "') "
End If
If Len(Trim(Replace(Replace(Season," ",""),",","") > 0 Then
SqlStr = SqlStr & "AND Season In('" & Replace(Season,",","','") & "') "
End If
%>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.