ASP代碼中的ADODB字段錯誤

問題：我有一個搜索，它可以正常工作，直到用戶進行沒有結果的查詢。當發生下拉（從sql獲得它的選項，停止工作）。我得到以下代替：ASP代碼中的ADODB字段錯誤

<option label=' <font face="Arial" size=2> 
<p>ADODB.Field</font> <font face="Arial" size=2>error '80020009'</font> 
<p> 
<font face="Arial" size=2>Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.</font> 
<p> 
<font face="Arial" size=2>/junk/dbinstant.htm</font><font face="Arial" size=2>, line 0</font>

當發生這種情況時，它似乎切斷了它下面的所有代碼。

我相信代碼負責就是：

<%if request.querystring("abn") = "all" then 
response.write("") 
else 
response.write("<option label='")%><%=lcon("legal")%><%response.write("' value='")%><%=(src_abn)%><%response.write("' selected></option>'") 
end if %>

整個頁面：

<%@ LANGUAGE="VBSCRIPT" %> 
<% 
pagetitle="Contractor Details" 
%> 
<!--#INCLUDE VIRTUAL="/_lib/include/header.htm"--> 
<!--#INCLUDE VIRTUAL="/_lib/include/menu.htm"--> 
<script> 
$(document).ready(function() { 
    $("#abn,#cat").change(function() { 
    this.form.submit(); 
}) 
}); 
</script> 
<div class="twoColumnRow"> 
<div class="twoColumnContent"> 
<p class="breadCrm"><a href="/index.htm">Home</a> <span>&gt;</span> <a href="/tools/index.htm">Tools of the Trade</a> <span>&gt;</span> <a href="/tools/finance/index.htm">Finance and Purchasing</a><span>&gt;</span> <a href="/tools/finance/procurement/index.htm">Procurement and Contracts information</a></p> 
<div class="contentPad"> 
<!-- Start of main content --> 

<p class="imageRight">&nbsp;</p> 
<h1><%=pagetitle%></h1> 

<% 
     Dim connectString, connect, conDB, sconDB, lDB, con, scon, lcon, src_abn, src_cat 
     connectString = "Driver={Microsoft Text Driver (*.txt; *.csv)}; DBQ=" & Server.MapPath("data") 
       src_abn = Request.QueryString("abn") 
       src_cat = Request.QueryString("cat") 
     set connect = Server.CreateObject("ADODB.connection") 
     connect.open connectString 

     if src_abn = "all" and src_cat = "all" then 
     conDB = "SELECT * FROM cont.csv" 
     lDB = "SELECT * FROM cont.csv" 
     elseif src_abn = "all" then 
     conDB = "SELECT * FROM cont.csv WHERE " & src_cat & " = 'Yes'" 
     lDB = "SELECT * FROM cont.csv WHERE " & src_cat & " = 'Yes'"  
     elseif src_cat = "all" then 
     conDB = "SELECT * FROM cont.csv WHERE ucase(abn) LIKE ucase('%"+src_abn+"%')" 
     lDB = "SELECT * FROM cont.csv WHERE ucase(abn) LIKE ucase('%"+src_abn+"%')" 
     else 
     conDB = " SELECT * FROM cont.csv WHERE " & src_cat & " = 'Yes' AND ucase(abn) LIKE ucase('%"+src_abn+"%')" 
     lDB = " SELECT * FROM cont.csv WHERE " & src_cat & " = 'Yes' AND ucase(abn) LIKE ucase('%"+src_abn+"%')" 
     end if 

     sconDB = "SELECT * FROM cont.csv" 

     set con = connect.execute(conDB) 
     set scon = connect.execute(sconDB) 
     set lcon = connect.execute(lDB) 
%> 
<h2>Search results</h2><hr /> 
<% if not con.BOF then %> 
<div style="margin-top:1em"> 

    <form action="dbinstant.htm" method="get"> 

     <p>Company name:1<br/> 
     <select id="abn" name="abn"> 
     <option label="All companies" value="all" <%if request.querystring("abn") = "all" then response.write("selected") %>></option> 
     <%if request.querystring("abn") = "all" then 
     response.write("<option label='All companies' value='all' selected></option>") 
     else 
     response.write("<option label='")%><%=lcon("legal")%><%response.write("' value='")%><%=(src_abn)%><%response.write("' selected></option>'") 
     end if %> 
     <% while (NOT scon.EOF) %> 
     <option label="<%=scon("legal")%>" value="<%=scon("abn")%>" <%if request.querystring("abn") = "response.write(src_abn)" then 
     response.write("selected") 
     end if %>></option> 
     <%scon.MoveNext() 
          Wend %> 
     </select> 
     </p> 
    <p>Categories for Creative Design:<br/> 
     <select id="cat" name="cat"> 
     <option class="group" label="All categories" value="all" <%if request.querystring("cat") = "all" then response.write("selected") %>></option> 
     <option class="group" label="Strategic brand, marketing and communications advice" value="a" <%if request.querystring("cat") = "a" then response.write("selected") %>></option> 
     <option class="group" label="Graphic design and layout" value="b" <%if request.querystring("cat") = "b" then response.write("selected") %>></option> 
     <option class="group" label="Forms design" value="c" <%if request.querystring("cat") = "c" then response.write("selected") %>></option> 
     <option class="group" label="Web design and development" value="d" <%if request.querystring("cat") = "d" then response.write("selected") %>></option> 
     <option class="group" label="Authoring services" value="e" <%if request.querystring("cat") = "e" then response.write("selected") %>></option> 
     <option class="group" label="Editorial services" value="f" <%if request.querystring("cat") = "f" then response.write("selected") %>></option> 
     <option class="group" label="Translation services" value="g" <%if request.querystring("cat") = "g" then response.write("selected") %>></option> 
     <option class="group" label="Photography and film services" value="h" <%if request.querystring("cat") = "h" then response.write("selected") %>></option> 
     <option class="group" label="Scanning and digitisation services" value="i" <%if request.querystring("cat") = "i" then response.write("selected") %>></option> 
     <option class="group" label="Multimedia editing services" value="j" <%if request.querystring("cat") = "j" then response.write("selected") %>></option> 
     </select> 
    </p> 
    <input type="submit" value="Search" /> 
    </form> 
    <br /><hr /> 

    <table style="font-size:.9em;" class="contentTable"> 
      <tr> 
       <th>ABN:</th> 
       <th>Company Name:</td> 
      </tr> 
    <% con.Movefirst() %> 
    <% while (NOT con.EOF) %> 
      <tr> 
       <td width="120px"><%=con("abn")%></th> 
       <td><a href="dbcomp.htm?abn=<%=con("abn")%>&cat=all"><%=con("legal")%></a></td> 
      </tr> 
    <% 
    con.MoveNext() 
    Wend 
    %> 
</table> 

</div> 
<% else %> 
    <% scon.Movefirst() %> 
    <form action="dbinstant.htm" method="get"> 

     <p>Company name:2<br/> 
     <select id="abn" name="abn"> 
     <option label="All companies" value="all" <%if request.querystring("abn") = "all" then response.write("selected") %>></option> 
     <%if request.querystring("abn") = "all" then 
     response.write("") 
     else 
     response.write("<option label='")%><%=lcon("legal")%><%response.write("' value='")%><%=(src_abn)%><%response.write("' selected></option>'") 
     end if %> 

     <% while (NOT scon.EOF) %> 
     <option label="<%=scon("legal")%>" value="<%=scon("abn")%>" <%if request.querystring("abn") = "response.write(src_abn)" then 
     response.write("selected") 
     end if %>></option> 
     <%scon.MoveNext() 
          Wend %> 
     </select> 
     </p> 
    <p>Categories for Creative Design:<br/> 
     <select id="cat" name="cat"> 
     <option class="group" label="All categories" value="all" <%if request.querystring("cat") = "all" then response.write("selected") %>></option> 
     <option class="group" label="Strategic brand, marketing and communications advice" value="a" <%if request.querystring("cat") = "a" then response.write("selected") %>></option> 
     <option class="group" label="Graphic design and layout" value="b" <%if request.querystring("cat") = "b" then response.write("selected") %>></option> 
     <option class="group" label="Forms design" value="c" <%if request.querystring("cat") = "c" then response.write("selected") %>></option> 
     <option class="group" label="Web design and development" value="d" <%if request.querystring("cat") = "d" then response.write("selected") %>></option> 
     <option class="group" label="Authoring services" value="e" <%if request.querystring("cat") = "e" then response.write("selected") %>></option> 
     <option class="group" label="Editorial services" value="f" <%if request.querystring("cat") = "f" then response.write("selected") %>></option> 
     <option class="group" label="Translation services" value="g" <%if request.querystring("cat") = "g" then response.write("selected") %>></option> 
     <option class="group" label="Photography and film services" value="h" <%if request.querystring("cat") = "h" then response.write("selected") %>></option> 
     <option class="group" label="Scanning and digitisation services" value="i" <%if request.querystring("cat") = "i" then response.write("selected") %>></option> 
     <option class="group" label="Multimedia editing services" value="j" <%if request.querystring("cat") = "j" then response.write("selected") %>></option> 
     </select> 
    </p> 
    <input type="submit" value="Search" /> 
    </form> 
    <br /><hr /> 
<p>No records match your query.</p> 
<p><a href="dbtest.htm">Return to search page</a></p> 
<% 
    end if 
    con.close 
%> 


<!-- End of main content --> 
</div> <!-- end contentPad div --> 
</div> <!-- end twocolumncontent div --> 
<div class="twoColumnLinks"> 

<!--<div class="relatedLinks"> 
<h3>Related Links</h3> 
<ul> 
<li><a href="/index.htm">Related link 1</a></li> 
</ul> 
</div>--> <!-- end relatedlinks div --> 
<!--#INCLUDE VIRTUAL="/_lib/include/quicklinks.htm"--> 
<!--#INCLUDE VIRTUAL="/_lib/include/mylinks.htm"--> 
</div> <!-- end twocolumnlinks div --> 
</div> <!-- end twocolumnrow div --> 
<!--#INCLUDE VIRTUAL="/_lib/include/footer.htm"-->

來源

2013-01-10 sephiith

嘗試改變con.BOF到con.EOF。

除此之外，您的代碼中存在嚴重的SQL注入漏洞。我希望大家都知道，:-)

。例如，你想改變這樣的事情

conDB = "SELECT * FROM cont.csv WHERE ucase(abn) LIKE ucase('%"+src_abn+"%')"

成

conDB = "SELECT * FROM cont.csv WHERE ucase(abn) LIKE ucase('%"+ Replace(src_abn, "'", "''") + "%')"

開始與這些：

來源

2013-01-10 22:42:47

Ofer Zelig是對的。您至少需要屏蔽傳遞的查詢字符串。 – mikeY

SQL注入將在那裏使用？（總是想學習如何保護，你會推薦任何書嗎？） – sephiith

我已經編輯了我的答案。 –

ASP代碼中的ADODB字段錯誤

回答

相關問題