更新时间:2023-01-17 10:38:40
***的选择是使用参数化查询.关于这是如何完成的,您必须查看:
The best option is to use parameterized queries. On how that is done, you must check out:
在 PHP 中,PDO(和 prepared statements) 允许开发人员使用参数化查询来避免sql注入.
In PHP also, the PDO (and prepared statements) allows developers to use parameterized queries to avoid sql injection.
是的,您可以在 WHERE
子句中指定参数,为此您可以使用 ADODB.Command
对象,如下例所示:
Yes you can specify parameters in WHERE
clause and for that you can use ADODB.Command
object like below example:
' other connection code
set objCommand = Server.CreateObject("ADODB.Command")
...
strSql = "SELECT name, info FROM [companies] WHERE name = ?" _
& "AND info = ?;"
...
objCommand.Parameters(0).value = strName
objCommand.Parameters(1).value = strInfo
...
有关更多信息,请参阅我在上面发布的文章链接,或者如果您愿意,您可能想对该主题进行更多研究.
For more information, see the article link that I have posted above or you may want to research a little more on the topic if you want.