当前位置: 文江博客话题详情

查询表达式中存在语法错误(缺少运算符)

发布于 2025-01-02 22:40:59 字数 622 浏览 1 评论 0原文

我知道这是一个常见错误,但我仍然无法自己解决。 我想做的是有一个名为 status 的 SELECT 项目,它允许用户选择他们的就业状态,我只想获取结果并更新 user_table(访问文件)状态单元格。 任何答复将不胜感激!

代码如下:

<!--#include file="../conn/conn.asp"-->
<%
id=request.QueryString("id")
status=request.Form("status")
sql="select * from user_table where id="&id
set rs=conn.execute(sql)     
sql="update user_table set Status='"+status+"' where id="&id
'response.Write sql
conn.execute(sql)
conn.close
response.Write "<script>alert('Change Sucessful!');</script>"
set conn=nothing
response.end()
%>
原文

I know it is a common error, but I still can't solve it myself.
What I am trying to do is I have a SELECT item called status that allow the user to choose their employment status, I want to simply get the result and update the user_table(access file) status cell.
Any reply will be greatly appreciated!

The Code is below:

<!--#include file="../conn/conn.asp"-->
<%
id=request.QueryString("id")
status=request.Form("status")
sql="select * from user_table where id="&id
set rs=conn.execute(sql)     
sql="update user_table set Status='"+status+"' where id="&id
'response.Write sql
conn.execute(sql)
conn.close
response.Write "<script>alert('Change Sucessful!');</script>"
set conn=nothing
response.end()
%>

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

蓝礼 2025-01-09 22:40:59

我认为您可能遇到 conn.execute(sql) 以及 response.end() 问题

要修复它,您需要执行以下任一操作:

conn.execute sql


Call conn.execute(sql)

但是,是的,您应该遵循发布的其他评论,因为您的技术存在安全问题。您应该考虑将其更改为使用参数:

<!--#include file="../conn/conn.asp"-->
<%

id = request.QueryString("id")
status = request.Form("status")

sql = "select * from user_table where id = @id"
Set cmd = CreateObject("ADODB.Command")
cmd.CommandText = sql
Set cmd.ActiveConnection = conn
cmd.Prepared = True
cmd.Parameters.Refresh 
cmd.Parameters("@id") = id
Set rs = cmd.Execute
Set rs = nothing
Set cmd = nothing

sql = "update user_table set status = @status where id = @id"
Set cmd = CreateObject("ADODB.Command")
cmd.CommandText = sql
Set cmd.ActiveConnection = conn
cmd.Prepared = True
cmd.Parameters.Refresh 
cmd.Parameters("@status") = status
cmd.Parameters("@id") = id
Set rs = cmd.Execute
Set rs = nothing
Set cmd = nothing

response.Write "<script>alert('Change Sucessful!');</script>"
Set conn = nothing
response.end
%>

I think you may be having a problem with conn.execute(sql) as well as response.end()

To fix it, you need to do either:

conn.execute sql

or

Call conn.execute(sql)

But, yeah, you should follow other comments posted as your technique has security issues. You should consider changing it to use parameters:

<!--#include file="../conn/conn.asp"-->
<%

id = request.QueryString("id")
status = request.Form("status")

sql = "select * from user_table where id = @id"
Set cmd = CreateObject("ADODB.Command")
cmd.CommandText = sql
Set cmd.ActiveConnection = conn
cmd.Prepared = True
cmd.Parameters.Refresh 
cmd.Parameters("@id") = id
Set rs = cmd.Execute
Set rs = nothing
Set cmd = nothing

sql = "update user_table set status = @status where id = @id"
Set cmd = CreateObject("ADODB.Command")
cmd.CommandText = sql
Set cmd.ActiveConnection = conn
cmd.Prepared = True
cmd.Parameters.Refresh 
cmd.Parameters("@status") = status
cmd.Parameters("@id") = id
Set rs = cmd.Execute
Set rs = nothing
Set cmd = nothing

response.Write "<script>alert('Change Sucessful!');</script>"
Set conn = nothing
response.end
%>
回复 原文
静若繁花 2025-01-09 22:40:59

我猜 conn.asp 让 conn 保持打开状态?否则你需要打开它。另外,当您取消注释 response.write sql 行时会显示什么?

而且,你肯定会向黑客开放自己。您需要“清理”来自 request.form 或 request.querystring 的任何内容(至少使用 replace(..., "'", "''"),或者更好的是,使用存储过程而不是直接的 sql

I'm guessing conn.asp leaves conn open? otherwise you need to open it. Also, what shows when you uncomment the response.write sql line?

And, you are definitely opening yourself to hackers. You need to 'clean' anything that comes from a request.form or request.querystring (with at the very least, a replace(..., "'", "''"), or much better, use stored procedures instead of straight sql

回复 原文
~没有更多了~

关于作者

勿忘心安

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

紫罗兰の梦幻

文章 0 评论 0

-2134

文章 0 评论 0

liuxuanli

文章 0 评论 0

意中人

文章 0 评论 0

○愚か者の日

文章 0 评论 0

xxhui

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文