[英]Can someone please tell me what is wrong with this statement?
I am using this to insert a few things into my table and it keeps giving me this error: 我正在使用它向表中插入一些东西,并且一直给我这个错误:
Microsoft VBScript compilation error '800a03ee' Expected ')' /thanks.asp, line 63 Set rstSimple = cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode) VALUES ('"Request.QueryString("payer_email") & "', '" & Request.QueryString("payer_email") & "', '" & Request.QueryString("first_name") & "', '" & Request.QueryString("last_name") & "', '" & Request.QueryString("hash")"')) ---------------------------------------------------------------------------------------------------------------------^
This is the code I am using: 这是我正在使用的代码:
Set rstSimple = cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode) VALUES ('"Request.QueryString("payer_email") & "', '" & Request.QueryString("payer_email") & "', '" & Request.QueryString("first_name") & "', '" & Request.QueryString("last_name") & "', '" & Request.QueryString("hash")"'))
Can someone please help me? 有人可以帮帮我吗?
Thank you 谢谢
I'd suggest breaking up your code as follows, so it becomes readable and understandable: 我建议按以下方式分拆您的代码,以使其变得可读和可理解:
Dim execSql
execSql = "insert into SALT (Email, Username, FirstName, LastName, ActivationCode)"
execSql = execSql & " VALUES ('"
execSql = execSql & Request.QueryString("payer_email")
execSql = execSql & "', '"
execSql = execSql & Request.QueryString("payer_email")
execSql = execSql & "', '"
execSql = execSql & Request.QueryString("first_name")
execSql = execSql & "', '"
execSql = execSql & Request.QueryString("last_name")
execSql = execSql & "', '"
execSql = execSql & Request.QueryString("hash")
execSql = execSql & "')"
Set rstSimple = cnnSimple.Execute(execSql)
while typing, I removed the quote-errors of your string. 键入时,我删除了字符串的引用错误。 Now it becomes more apparent where they are if you receive a new error.
现在,如果您收到新错误,则它们在哪里变得更加明显。 Also, the coloring of the code makes it readable and easy to spot the error (depening on what editor you use).
此外,代码的颜色使代码易于阅读并且易于发现错误(取决于您使用的编辑器)。
As someone else already mentioned, your code is highly susceptible to SQL injection attacks. 正如其他人已经提到的那样,您的代码非常容易受到SQL注入攻击的影响。 Even if no attack (ie, to drop your database) is meant, it will fail if someone is named
d'Amour
(French) or in 't Huys
(Dutch), crashing your page. 即使没有攻击(即删除数据库)的意图,但是如果某人名为
d'Amour
(法语)或in 't Huys
(荷兰语),也会使您的页面崩溃。 To circumvent this, don't try to filter your code, but rewrite it using SQL Command and Parameters. 为了避免这种情况,请不要尝试过滤代码,而要使用SQL命令和参数将其重写。 It's easy, your code simply becomes this:
很简单,您的代码就变成了这样:
Set dbCommand = Server.CreateObject("ADODB.Command")
Set dbCommand.ActiveConnection = cnnSimple
dbCommand.CommandType = adCmdText
dbCommand.CommandText = _
"INSERT INTO SALT (Email, Username, FirstName, LastName, ActivationCode) " + _
"VALUES (@email, @user, @firstname, @lastname, @code)"
With dbCommand.Parameters
.Add("email", adVarChar, adParamInput, , Request.QueryString("payer_email"))
.Add("user", adVarChar, adParamInput, , Request.QueryString("payer_email"))
.Add("firstname", adVarChar, adParamInput, , Request.QueryString("first_name"))
.Add("lastname", adVarChar, adParamInput, , Request.QueryString("last_name"))
.Add("code", adVarChar, adParamInput, , Request.QueryString("hash"))
End With
Set rstSimple = dbCommand.Execute()
Note: make sure to download and include ADOVBS.INC so you don't have to replace the constants adVarChar
and adParamInput
and such with their numeric equivalents. 注意:请确保下载并包含ADOVBS.INC,这样就不必用常量数字替换常量
adVarChar
和adParamInput
等。
For more info see this SO answer by Jose Basilio , Google on "SQL Injection ASP" or "SQL Prepared Statement Classic ASP", it should find you some hits. 有关更多信息,请参见Google在“ SQL Injection ASP”或“ SQL Prepared Statement Classic ASP”上的Jose Basilio的回答 ,它应该会给您带来一些帮助。
You have a missing &
in here: 您在这里缺少
&
:
VALUES ('"Request.QueryString("payer_email") & "'
should be: 应该:
VALUES ('" & Request.QueryString("payer_email") & "'
And even in the last part of your statement, you have a missing &
and a missing "
: 即使在语句的最后部分,您也缺少
&
并且缺少"
:
Request.QueryString("hash")"'))
should be: 应该:
Request.QueryString("hash") & "')")
Therefore you may want to try the following statement: 因此,您可能需要尝试以下语句:
cnnSimple.Execute("insert into SALT (Email, Username, FirstName, LastName, ActivationCode) VALUES ('" & Request.QueryString("payer_email") & "', '" & Request.QueryString("payer_email") & "', '" & Request.QueryString("first_name") & "', '" & Request.QueryString("last_name") & "', '" & Request.QueryString("hash") & "')")
Seems like there is a syntax error related to your parenthesis. 似乎存在与括号相关的语法错误。 The 2 parenthesis at the end of that line looks kind of fishy.
该行末尾的2括号看起来有点可疑。
The missing ampersands and quotes may be the least of your problems. 缺少的&符号可能是您遇到的最少问题。
It does not look like you are cleaning the strings in any way. 看起来您没有以任何方式清洁琴弦。 The strings could contain single quotes that are not escaped.
字符串可以包含不能转义的单引号。 You are open to SQL injection because you are not using parameters.
您对SQL注入持开放态度,因为您没有使用参数。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.