<%
postit = request.querystring("thispost")
response.write(postit)
%>
postit是變量。 response.write的作品,這都在以下SQL語句之上。如何在SQL語句中使用ASP變量
這是SQL然而,當我加入postit變量我收到此錯誤信息:
delCmd.CommandText="DELETE * FROM post WHERE (pos_ID = postit)"
Microsoft Access Database Engine error '80040e10'
No value given for one or more required parameters.
/student/s0190204/wip/deleterecord.asp, line 32
添加參數到SQL:
delCmd.CommandText="DELETE * FROM post WHERE (pos_ID = ?)"
delCmd.Parameters.Append delCmd.CreateParameter("posid", adInteger, adParamInput) ' input parameter
delCmd.Parameters("posid").Value = postit
更容易刪除,這種方式在不需要檢查記錄集時很有用:
cn.open "yourconnectionstring"
cn.execute "DELETE * FROM post WHERE pos_ID = " & request.querystring("thispost")
cn.close
這種方法的問題是我們不知道'thispost'(你的情況)來自哪裏,並打開應用程序到[SQL注入攻擊](http://en.wikipedia.org/wiki/SQL_injection )。 – Paul
未提及參數的驗證。我嘗試使用相同的請求來解釋價值的來源。 –
您沒有將postit的值傳遞給Access;相反,您要告訴Access找到&使用一個名爲postit的變量。當然,所述變量在Access中不存在 - 它只存在於您的代碼中。該修復只是一對引號和一對&符號。
delCmd.CommandText="DELETE * FROM post WHERE (pos_ID = " & postit & ")"
(。當然,你應該驗證postit你去將其發送給您的數據庫之前,一個簡單的CDbl()可以做的伎倆,假設它是一個數值)
個人並不喜歡在SQL查詢中使用串聯,參數化查詢更安全且易於閱讀。 – Lankymart
試試這個代碼:
<% Dim postit, stringSQL, objectCon
postit = request.querystring("thispost")
Set objectCon = Server.CreateObject("ADODB.Connection")
objectCon.ConnectionString "Driver={SQL SERVER};Server=server_name;UID=user_name;PWD=password;Database=database_name" 'SET CONNECTION STRING OF YOUR DATABASE
stringSQL = "DELETE FROM post WHERE pos_id='" & postit & "'"
objectCon.Open
objectCon.Execute(stringSQL)
objectCon.Close() %>
夫婦的事情,這將有助於你在未來
Option Explicit以避免隱藏將在稍後回來咬你的問題有可以使用在代碼中ADODB.Command對象,這將在下面的例子來說明時加快速度的幾個技巧(假設您已經存儲在全局配置呼叫gs_connstr一個連接字符串);
<%
Option Explicit
Dim postit
postit = Request.QueryString("thispost")
'Always do some basic validation of your Request variables
If Len(postit) > 0 And IsNumeric(postit) Then CLng(postit) Else postit = 0
Dim o_cmd, o_rs, a_rs, i_row, i_rows, l_affected
Dim SQL
'SQL statement to be executed. For CommandType adCmdText this can be any dynamic
'statement, but adCmdText also gives you an added bonus - Parameterised Queries
'instead of concatenating values into your SQL you can specify placeholders (?)
'that you will define values for that will get passed to the provider in the order
'they are defined in the SQL statement.
SQL = "DELETE * FROM post WHERE (pos_ID = ?)"
Set o_cmd = Server.CreateObject("ADODB.Command")
With o_cmd
'ActiveConnection will accept a Connection String so there is no need
'to instantiate a separate ADODB.Connection object the ADODB.Command object
'will handle this and also open the connection ready.
.ActiveConnection = gs_connstr
.CommandType = adCmdText
.CommandText = SQL
'When using Parameters the most important thing to remember is the order you
'appended your parameters to the Parameters collection as this will determine
'the order in which they are applied to your SQL query at execution. Because
'of this the name you give to your parameters is not important in terms of
'execution but I find specifying a meaningful name is best (especially when
'revisiting some code a few years down the line).
Call .Parameters.Append(.CreateParameter("@pos_ID", adInteger, adParamInput, 4))
'Parameter values can be passed in via the Execute() method using an Array
'without having to define the parameter values explicitly. You can also specify
'the records affected value to return number of rows affected by a DELETE,
'INSERT or UPDATE statement.
.Execute(l_affected, Array(postit))
End With
'Always tidy up after yourself, by releasing your object from memory, this will
'also tidy up your connection as it was created by the ADODB.Command object.
Set o_cmd = Nothing
%>
這給了我所需要的錯誤 對象: '' 任何想法? – Jayyf9
我的代碼中的錯字 - 再試一次。 –
參數?_1沒有默認值。 – Jayyf9