分享程序员开发的那些事...
更新时间:2023-02-05 21:41:20
Beaton先生写道:嘿所有,
我远不是编程新手,也不是ASP和SQL。但是,我的SQL
知识显然是想要的...
为了避免SQL注入,我总是将用户输入验证到将它集成到SQL语句之前。 attacs。我的一位同事告诉我,绑定我的vars会使他们成为SQL标量,但是我已经被黑暗留下了如何......网络离开了我
没有更聪明,所以,这里有:任何人都有一个简单的例子来说明在ASP中绑定变量来启动我吗?
我怀疑你的同事正在谈论使用参数。看到这个
如果你正在使用存储过程(推荐):
http://tinyurl.com/jyy0
或者这个:
http://groups-beta.google.com/group/...e36562fee7804e
我会在提供此类协助之后命名我的长子......; - )
没有必要。
Bob Barrows
-
Microsoft MVP - ASP / ASP.NET
请回复新闻组。这个电子邮件帐户是我的垃圾邮件陷阱所以我
不经常检查它。如果您必须离线回复,请删除
没有垃圾邮件
谢谢Rob,我的问题可以提供很好的帮助。然而;在用?替换我的连接的
方向后,并创建参数
插入它们,会产生不良影响...
我的重音字符被scr3wed ...所有斯堪的纳维亚字符得到
替换。
表格数据使用XMLHTTP发布,但我'已经验证了重音的
字符可以通过那个好吧。欢迎任何/所有想法...
最后,我感谢你拒绝让我为你的长子命名,因为
很可能做个女孩......;)
// Leif Beaton
" Bob Barrows [MVP]" <再****** @ NOyahoo.SPAMcom>在消息中写道
news:eD ************** @ TK2MSFTNGP14.phx.gbl ...Beaton先生写道:嘿所有,
我远不是编程新手,也不是ASP和SQL。但是,我的SQL
知识显然是想要的...
为了避免SQL注入,我总是将用户输入验证到将它集成到SQL语句之前。 attacs。我的一位同事告诉我,绑定我的vars会使他们成为SQL标量,但是我已经被黑暗留下了如何......网络离开了我
没有更聪明,同样,这里有:任何人都有一个简单的例子来说明在ASP中绑定vars以让我开始?
我怀疑你的同事正在谈论使用参数。请参阅
如果您正在使用存储过程(推荐):
http://tinyurl.com/jyy0
或者:
http://groups-beta.google.com/group/...e36562fee7804e我会在提供此类帮助之后命名我的长子......; - )
不需要。 -
微软MVP - ASP / ASP.NET
请回复新闻组。这个电子邮件帐户是我的垃圾邮件陷阱所以我不经常检查它。如果您必须离线回复,请删除
NO SPAM
Beaton先生写道:谢谢,Rob,对我的问题提供了很好的帮助。然而;在用?替换我的连接方向后,
你不能使用存储过程......?
和创建插入它们的参数,
你的意思是字面意思吗? IE,你是否使用CreateParameter来创建
参数对象,你附加到命令对象的参数
集合?或者你是否按照我的帖子中的建议使用变量
数组来传递参数?
发生了不良影响......
我的重音字符被scr3wed ...所有斯堪的纳维亚字符被取代。
表格数据使用XMLHTTP发布,但我已经确认
重音字符通过通过那好吧。
您如何验证这一点?
您是否使用SQL事件探查器检查正在进行的数据传递给你的
sql服务器?
我对国际字符集的经验不多,但我最初的建议是b / b
建议你明确地向命令添加参数
对象的参数集合而不是使用变量数组技术
我在我引用的帖子中建议。这将允许您控制参数对象的数据类型
。
如果您向我展示sql语句的简化版本(刚好足够
重现问题),我将能够更具体一点。
Bob Barrows
-
Microsoft MVP - ASP / ASP.NET
请回复新闻组。我的From
标题中列出的电子邮件帐户是我的垃圾邮件陷阱,因此我不经常检查它。通过发布到新闻组,您将获得更快的回复。
Hey all,
I''m far from new to programming, neither ASP nor SQL. However, my SQL
knowhow is apparently wanting...
I have allways validated user input to pieces prior to integrating it into a
SQL statement, in order to avoid SQL Injection attacs. A colleague of mine
told me that binding my vars would make them SQL scalar, but I have been
left in the dark as to HOW... The web left me none the wiser, as well, so
here goes: Anyone got a brief example of binding vars in ASP to get me
started? I''ll name my firstborn after the provider of such assistance... ;-)
Leif Beaton
Mr Beaton wrote:Hey all,
I''m far from new to programming, neither ASP nor SQL. However, my SQL
knowhow is apparently wanting...
I have allways validated user input to pieces prior to integrating it
into a SQL statement, in order to avoid SQL Injection attacs. A
colleague of mine told me that binding my vars would make them SQL
scalar, but I have been left in the dark as to HOW... The web left me
none the wiser, as well, so here goes: Anyone got a brief example of
binding vars in ASP to get me started?
I suspect your colleague was talking about using parameters. See either this
If you are using stored procedures (recommended):
http://tinyurl.com/jyy0
or this:
http://groups-beta.google.com/group/...e36562fee7804e
I''ll name my firstborn after
the provider of such assistance... ;-)
No need.
Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don''t check it very often. If you must reply off-line, then remove the
"NO SPAM"
Thanks, Rob, for excellent help on my question. However; after going in the
direction of replacing my concatenations with ?, and creating parameters to
insert them, an undesired effect occurs...
My accented characters gets scr3wed up... All scandinavian characters gets
replaced.
The form data is posted using XMLHTTP, but I''ve verified that the accented
characters pass through that allright. Any/all ideas will be welcome...
Lastly, I appreciate your decline to have me name my firstborn after you, as
it is likely to be a girl... ;)
//Leif Beaton
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:eD**************@TK2MSFTNGP14.phx.gbl...Mr Beaton wrote:Hey all,
I''m far from new to programming, neither ASP nor SQL. However, my SQL
knowhow is apparently wanting...
I have allways validated user input to pieces prior to integrating it
into a SQL statement, in order to avoid SQL Injection attacs. A
colleague of mine told me that binding my vars would make them SQL
scalar, but I have been left in the dark as to HOW... The web left me
none the wiser, as well, so here goes: Anyone got a brief example of
binding vars in ASP to get me started?
I suspect your colleague was talking about using parameters. See either
this
If you are using stored procedures (recommended):
http://tinyurl.com/jyy0
or this:
http://groups-beta.google.com/group/...e36562fee7804eI''ll name my firstborn after
the provider of such assistance... ;-)
No need.
Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don''t check it very often. If you must reply off-line, then remove the
"NO SPAM"
Mr Beaton wrote:Thanks, Rob, for excellent help on my question. However; after going
in the direction of replacing my concatenations with ?,
You can''t use a stored procedure ... ?
and creating parameters to insert them,
Do you mean that literally? IE, are you using CreateParameter to create
parameter objects which you append to the command object''s Parameters
collection? Or are you following the advice from my post to use a variant
array to pass the arguments?
an undesired effect occurs...
My accented characters gets scr3wed up... All scandinavian characters
gets replaced.
The form data is posted using XMLHTTP, but I''ve verified that the
accented characters pass through that allright.
How have you verified this?
Have you used SQL Profiler to check the data that is being passed to your
sql server?
I have little experience with international character sets, but my initial
reaction is to advise you to explicitly add parameters to the command
object''s Parameters collection rather than using the variant array technique
I advised in the post I cited. This will allow you to control the datatypes
of the parameter objects.
If you show me a simplified version of your sql statement (just enough to
reproduce the problem), I will be able to get a little more specific.
Bob Barrows
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don''t check it very often. You will get a
quicker response by posting to the newsgroup.