ASP also uses ORM to put a full stop on all SQL injections on the ASP _ Application Tips

Source: Internet
Author: User
Tags constant
General Write ASP PHP code friends are estimated to use the direct operation of the SQL Bar ~
Look at the following code
Dim conn,rs
Set Conn=createobject ("Adodb.connection")
Conn.Open .....
Set Rs=conn.execute ("SELECT * from News");
Traverse rs ....
This implementation speed is certainly, but in the structure logic above 1 half of the sentence of course do not feel how! If you have more sentences, you will have a problem!
Parameter not filtered Ah, SQL presence injection AH wait ~ok Now let's change the design model!
Using 3-layer structure + ORM
Orm:object relation MAPPING
So what is ORM technology? Familiar with Java. NET development friend must be very clear ... is the Object relational mapping
Mapping a table to a class field is mapped to a property and the record is mapped to an object ... Now Java ORM Persistence layer Framework N More
For example Hibernate Ibatis Entitybean (one of the EJBS)
What about the ASP? And we can do the same.
3-tier Architecture: Web presentation layer middle tier persistence layer
Here's a news table, a simple one.
ID int,
Title varchar (200),
Contect varchar (50000)
We mapped him into a class
Class News
Private Id,title,contect
Sub SetID (SID)
Id=cint (SID)
End Sub
Function GetID
End Function
Sub Settitle (Stitle)
Title=mid (stitle,1,200) ' limits the length
End Sub
End Class
And then we'll design code to manipulate the database into objects.
Class Newsdataaccessobject
Dim conn,rs,cmd
' Query a news article
Function Getnewsbyid (ID)
Set Conn=applcation ("Connection") ' connection pool inside get a connection
Set Cmd=getcmd () ' Getcmd function to implement return CreateObject ("Adodb.command")
Selectstring= "SELECT * from NEWS where id = @id"
Cmd. ActiveConnection = conn
Cmd.commandtype = adCmdText ' Const adcmdtext=1
Cmd.commandtext = selectstring
' For just the @id append parameter, constant adinteger = 3 adparaminput=1
Cmd. Parameters.Append cmd. CreateParameter ("@id", adinteger, adParamInput,, id)
' Run SQL statement to return the result collection
Set Rs=cmd.execute ()
Dim anews
Set Anew=new News
If Rs.eof Then
Anew.setid (RS ("id") & "")
Anew.settitle (RS ("title") & "")
Anew.setcontect (RS ("Contect") & "")
End If
Set rs=nothing
Set cmd=nothing
Set conn=nothing
Set Getnewsbyid=anew
End Function
' Insert a piece of news
Function addnews (anew)
Dim conn,cmd
If IsEmpty (anew) then Addnews=false
Set Conn=applcation ("Connection") ' connection pool inside get a connection
Set Cmd=getcmd () ' Getcmd function to implement return CreateObject ("Adodb.command")
insertstring= "INSERT into NEWS (id,title,contect) VALUES (@id, @title, @contect)"
Cmd. ActiveConnection = conn
Cmd.commandtype = adCmdText ' Const adcmdtext=1
Cmd.commandtext = insertstring
' For just the @id @title @contect append parameters, constant adinteger = 3 Adparaminput=1 adVarWChar = 202
Cmd. Parameters.Append cmd. CreateParameter ("@id", Adinteger, adParamInput, Anew.getid ())
Cmd. Parameters.Append cmd. CreateParameter ("@title", adVarWChar, adParamInput, Anew.gettitle ())
Cmd. Parameters.Append cmd. CreateParameter ("@contect", adVarWChar, adParamInput, 50000, Anew.getconect ())
' Run SQL statement
Cmd.execute ()
Set cmd=nothing
Set conn=nothing
End Function
Function Findbytitle (Stitle)
End Function
Function Getpagenews (page,size)
End Function
End Class
The above is to manipulate the database and then encapsulate the results into the object or write the object to the database
This implementation may be slightly slower but the overall logic structure is very obvious, do not need to care whether the variable has been filtered or filtered
And the designers of the Web page layer focus more on the interface
The following adds the news code for the submission
Dim Id,title,contect,anew,dao
Id=request ("id")
Title=request.form ("title")
Contect=request.form ("Contect")
Set Anew=new NEWS
Anew.setid (ID)
Anew.settitle (title)
Anew.setcontect (Contect)
Set Dao=new Newsdataaccessobject
If Dao.addnews (anew) then
' Response.Write
echo "Success"
echo "Error"
End If
Find out the news to show
Dim id,dao,anew
Id=request ("id")
Set Dao=new Newsdataaccessobject
Set Anew=dao.getnewsbyid (ID)
If Anew.getid () <> "" Then
Title: <%=anew.gettitle ()%>
Content: <%=anew.getcontect ()%>
The above fragment code if there are mistakes thank you for advice ~ ~ ~
Using such a design method does not need to be like Xxxblog Xxxbbs XXX article system
Forget replace (SQL, "'", "") and produce injection!
For the cleanliness of the page will not appear in SQL statements, connection and other artists responsible for their work and then put the object's attributes to the appropriate position on the OK
And there may be a friend will feel the user authentication aspect! That's easier. Put user objects in the user table into session OK
If IsEmpty (Session ("user")) or session ("user") = "" Then
' Jump
Set Auser=session ("User")
echo "Welcome you:" & Auser.getname ()
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.