Recently, because the project needs to use access to do database development Web project look at the forum many people asked about access being injected security issues many people are still replacing special characters with replace, But it does not work too much. Today I will use Access parameterized query some of the methods and experience to share with you, I hope that we have some inspiration, there are written wrong places hope that the masters of many exhibitions
asp.net use OleDbCommand new OleDbParameter to create parameter goods query
ASP uses Command's CreateParameter method to create parameterized query
(SQL stored procedure queries are also established by this method)
asp.net C # syntax:
OleDbParameter parm = new OleDbParameter (Name, Type, Direction, Size, Value);
(In fact, it has seven overloads, and you can see it in vs.net.)
parameter
name is optional, a string that represents the Parameter object name.
Type optional, long integer value specifying the Parameter object data type.
Direction Optional, long integer value, specifying Parameter object Type ...
Size Optional, Long value specifying the maximum length of the parameter value in characters or bytes.
Value Optional, Variant type, specifying the value of the Parameter object.
The following is an instance of querying all Tsing published in the news
-------------------------------------------------------
sql= "SELECT * FROM NEWSS where username=? ORDER BY ID
//Note that the condition of the query is indicated by a number of conn =
OleDbConnection = new OleDbConnection (connstring);
OleDbCommand cmd = new OleDbCommand (sql,conn);
OleDbParameter parm = new OleDbParameter ("temp", OleDbType.VarChar, 50); The
//temp is a parameter object that can be arbitrarily defined, OleDbType.VarChar specified as a string, and a length of
Parm. Direction = ParameterDirection.Input;
//Specify its type input parameters
cmd. Parameters.Add (Parm);
Cmd. parameters["Temp"]. Value = "Tsing";
//Query tsing can also be written as CMD. PARAMETERS[0]
Conn. Open ();
Cmd. ExecuteReader ();
ASP VBScript Syntax
Set parameter = command. CreateParameter (Name, Type, Direction, Size, Value)
Parameter ditto
Here's an example of all the News Tsing published
------------------------------------------------------
ET conn = Server.CreateObject ("Adodb.connection")
Conn. ConnectionString = connstring
Conn.Open ()
Set mycmd = Server.CreateObject ("Adodb.command")
myCMD. Activeconnection=conn
Mycmd.commandtext=sql
myCMD. Prepared = True
Set Mypar = myCMD. CreateParameter ("temp", 129,1,50, "Tsing")
myCMD. Parameters.Append Mypar
Set myrs = myCMD. Execute
The same as the above basically different local method is ASP in the expression of the parameters of the different
129 for adchar,1 is to indicate the input parameter (is actually the default value)
Please refer to Microsoft's Adovb.inc:
'----ParameterDirectionEnum Values----
Const Adparamunknown = 0
Const adParamInput = 1
Const adParamOutput = 2
Const adParamInputOutput = 3
Const adParamReturnValue = 4
'----DataTypeEnum Values----
Const adempty = 0
Const Adtinyint = 16
Const adSmallInt = 2
Const Adinteger = 3
Const adBigInt = 20
Const Adunsignedtinyint = 17
Const Adunsignedsmallint = 18
Const Adunsignedint = 19
Const Adunsignedbigint = 21
Const Adsingle = 4
Const addouble = 5
Const adcurrency = 6
Const Addecimal = 14
Const adnumeric = 131
Const Adboolean = 11
Const Aderror = 10
Const aduserdefined = 132
Const advariant = 12
Const adIDispatch = 9
Const adIUnknown = 13
Const Adguid = 72
Const addate = 7
Const adDBDate = 133
Const adDBTime = 134
Const adDBTimeStamp = 135
Const ADBSTR = 8
Const Adchar = 129
Const adVarChar = 200
Const adLongVarChar = 201
Const Adwchar = 130
Const adVarWChar = 202
Const adLongVarWChar = 203
Const adbinary = 128
Const advarbinary = 204
Const Adlongvarbinary = 205