当用户提交结果时将日期和时间保存到访问文件中

发布于 2025-01-03 10:07:55 字数 649 浏览 1 评论 0原文

当用户提交个人结果时，我试图将日期或时间保存到数据库文件中。目前，我可以使用 UPDATE 函数保存除日期或时间之外的所有其他信息。我知道有一些名为 date() 和 now() 的函数用于日期操作。但我就是做不到。并且不用太担心 SQL 注入；这仅供我自己使用。

部分代码在这里：

id=request.QueryString("id")
name=request.Form("name")
sex=request.Form("sex")
age=request.Form("age")
logtime=date()  // I am not sure if this is correct 
sql="select * from table where id="&id
set rs=conn.execute(sql)
sql="update table set name='"+name+"', sex='"+sex+"', age='"+age+"', logtime='"+logtime+"' where id="&id // for the logtime='"+logtime+"', I think it is also not correct.
'response.Write sql
conn.execute(sql)
conn.close
set conn=nothing

原文

I am trying to save date or time into a database file when the user submit the personal results.
Currently, I am able to save all other information using the UPDATE function except the date or time. I know there are functions called date() and now() for date manipulation. But I just cannot get it right. And don't worry too much about SQL injection; this is just for my own use.

Part of the code is here:

id=request.QueryString("id")
name=request.Form("name")
sex=request.Form("sex")
age=request.Form("age")
logtime=date()  // I am not sure if this is correct 
sql="select * from table where id="&id
set rs=conn.execute(sql)
sql="update table set name='"+name+"', sex='"+sex+"', age='"+age+"', logtime='"+logtime+"' where id="&id // for the logtime='"+logtime+"', I think it is also not correct.
'response.Write sql
conn.execute(sql)
conn.close
set conn=nothing

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

眸中客 2025-01-10 10:07:55

我认为在经典 ASP 中它是：

logtime=now()

I think in Classic ASP it's:

logtime=now()

回复收藏 0 原文

人海汹涌 2025-01-10 10:07:55

正如您发布的另一个问题中提到的，您的解决方案存在 SQL 注入的安全风险，并且您应该使用参数化 SQL 查询。此外，您的 conn.Execute(sql) 实际上应该是 conn.Execute sql 或 Call conn.Execute(sql)。此外，通过使用参数化查询，日期处理变得更好，例如：

id = request.QueryString("id")
name=request.Form("name")
sex = request.Form("sex")
age = CInt(request.Form("age"))
logtime = Now

sql = "update user_table" & vbCrLf
sql = sql & "set name = @name, sex = @sex, age = @age, logtime = @logtime" & vbCrLf
sql = sql & "where id = @id" & vbCrLf

Set cmd = CreateObject("ADODB.Command")
cmd.CommandText = sql
Set cmd.ActiveConnection = conn
cmd.Prepared = True
cmd.Parameters.Refresh 
cmd.Parameters("@name") = name
cmd.Parameters("@sex") = sex
cmd.Parameters("@age") = age
cmd.Parameters("@logtime") = logtime
cmd.Parameters("@id") = id
cmd.Execute
Set cmd = nothing

As mention in the other question you posted, your solution has a security risk of SQL injection and that you ought to use parametized SQL queries. In addition, your conn.Execute(sql) should really be conn.Execute sql or Call conn.Execute(sql). In addition, by using parametized queries, date handling becomes better, for instance:

id = request.QueryString("id")
name=request.Form("name")
sex = request.Form("sex")
age = CInt(request.Form("age"))
logtime = Now

sql = "update user_table" & vbCrLf
sql = sql & "set name = @name, sex = @sex, age = @age, logtime = @logtime" & vbCrLf
sql = sql & "where id = @id" & vbCrLf

Set cmd = CreateObject("ADODB.Command")
cmd.CommandText = sql
Set cmd.ActiveConnection = conn
cmd.Prepared = True
cmd.Parameters.Refresh 
cmd.Parameters("@name") = name
cmd.Parameters("@sex") = sex
cmd.Parameters("@age") = age
cmd.Parameters("@logtime") = logtime
cmd.Parameters("@id") = id
cmd.Execute
Set cmd = nothing

回复收藏 0 原文