Recently, because of the project's need to use ACCESS for database development WEB projects, many people on the Forum asked ACCESS injection security issues. Many people solve the problem by replacing special characters with Replace, however, this is not very useful. Today, I will share some methods and experiences of using ACCESS parameterized queries with you.
I hope I will be inspired by everyone. I hope the experts will give me more advice if I have written something wrong.
ASP. NET uses OleDbCommand's new OleDbParameter to create a parameter goods Query
ASP uses the CreateParameter method of Command to create a parameterized Query
(This method is also used to query SQL stored procedures)
ASP. net c # syntax
OleDbParameter parm = new OleDbParameter (Name, Type, Direction, Size, Value );
(In fact, it has seven reloads. You can see them in VS.net)
Parameters
Name (optional) is a string that represents the Name of a Parameter object.
Type (optional) long integer value, which specifies the Data Type of the Parameter object.
(Optional) Direction, which is a long integer value and specifies the Parameter object type ..
Size (optional) long integer value. It specifies the maximum length (in characters or bytes) of the parameter value ).
Value (optional) indicates the Value of the Parameter object.
The following is an example to query the news published by all tsing in the news table.
The Code is as follows:
SQL = "select * from newss where username =? Order by id"
// Are query conditions used? Number
OleDbConnection conn = new OleDbConnection (connString );
OleDbCommand cmd = new OleDbCommand (SQL, conn );
OleDbParameter parm = new OleDbParameter ("temp", OleDbType. VarChar, 50 );
// You can define temp as a Parameter object. OleDbType. VarChar is a string with a length of 50.
Parm. Direction = ParameterDirection. Input;
// Specify its type input parameters
Cmd. Parameters. Add (parm );
Cmd. Parameters ["temp"]. Value = "tsing ";
// Query tsing. You can also write it as cmd. Parameters [0].
Conn. Open ();
Cmd. ExecuteReader ();
Asp vbscript syntax
Set parameter = command. CreateParameter (Name, Type, Direction, Size, Value)
Same as above
The following is an example to query the news published by all tsing in the news table.
------------------------------------------------------
The Code is as follows:
Set conn = Server. CreateObject ("Adodb. Connection ")
Conn. ConnectionString = connString
Conn. open ()
Set mycmd = Server. CreateObject ("ADODB. Command ")
Mycmd. ActiveConnection = conn
Mycmd. CommandText = SQL
Mycmd. Prepared = true
Set mypar = mycmd. CreateParameter ("temp", 129,1, 50, "tsing ")
Mycmd. Parameters. Append mypar
Set myrs = mycmd. Execute
The method is basically the same as above. asp is different in parameter expression.
129 is adChar, and 1 is the input parameter (in fact, it is the default value)
For details, refer to MICROSOFT's ADOVB. Inc:
The Code is as follows:
'---- ParameterDirectionEnum Values ----
Const adParamUnknown = 0
Const adParamInput = 1
Const adParamOutput = 2
Const adParamInputOutput = 3
Const adParamReturnValue = 4
'---- DataTypeEnum Values ----
Const adEmpty = 0
Const adTinyInt = 16
Const adSmallInt = 2
Const adInteger = 3
Const adBigInt = 20
Const adUnsignedTinyInt = 17
Const adUnsignedSmallInt = 18
Const adUnsignedInt = 19
Const adUnsignedBigInt = 21
Const adSingle = 4
Const adDouble = 5
Const adCurrency = 6
Const adDecimal = 14
Const adnumeric= 131
Const adBoolean = 11
Const adError = 10
Const adUserDefined = 132
Const adVariant = 12
Const adIDispatch = 9
Const adIUnknown = 13
Const adGUID = 72
Const adDate = 7
Const adDBDate = 133
Const adDBTime = 134
Const adDBTimeStamp = 135
Const adBSTR = 8
Const adChar = 129
Const adVarChar = 200
Const adLongVarChar = 201
Const adwchar= 130
Const advarwchar= 202
Const adlongvarwchar= 203
Const ad binary = 128
Const adVarBinary = 204
Const adLongVarBinary = 205
Attach the C # class I wrote and the VBSCRIPT function. I hope it will be helpful to you.
The Code is as follows:
Using System;
Using System. Data;
Using System. Configuration;
Using System. Web;
Using System. Data. OleDb;
Namespace acc_select
{
///
/// Accselect abstract description
///
Public class accselect
{
// "Provider = Microsoft. Jet. OLEDB.4.0; Data Source = d: \ dq \ db1.mdb"
Private string conn = ConfigurationManager. ConnectionStrings ["tsingConnectionString"]. ToString ();
Public string SQL = string. Empty;
Public int t = 4;
Public object v = null;
Public accselect ()
{
}
///
/// Constructor to pass the ACC parameter query statement
///
/// Strsql limit type
Public accselect (string strsql)
{
SQL = strsql;
}
///
/// Constructor to pass the ACC parameter query statement
///
/// Parameter query statement
/// Bytes
Public accselect (string strsql, int total)
{
SQL = strsql;
T = total;
}
///
/// Constructor
///
/// Parameter query statement
/// Bytes
/// OBJECT Value
Public accselect (string strsql, int total, object value)
{
SQL = strsql;
T = total;
V = value;
}
///
/// The getOdd method returns OleDbDataReader
///
/// Define OleDbType
///
Public OleDbDataReader getOdd (OleDbType odt)
{
OleDbConnection conns = new OleDbConnection (this. conn );
OleDbCommand cmd = new OleDbCommand (this. SQL, conns );
OleDbParameter parm = new OleDbParameter ("temp", odt, this. t );
Parm. Direction = ParameterDirection. Input;
Cmd. Parameters. Add (parm );
Cmd. Parameters [0]. Value = this. v;
Conns. Open ();
OleDbDataReader oda = cmd. ExecuteReader ();
Cmd. Dispose ();
Return oda;
}
String SQL
{
Get
{
Return SQL;
}
Set
{
SQL = value;
}
}
Int T
{
Get
{
Return t;
}
Set
{
T = value;
}
}
Object V
{
Get
{
Return v;
}
Set
{
V = value;
}
}
}
}
// Call Method
// Accselect acc = new accselect ();
// Acc. SQL = "select * from dtt where d_id =? ";
// Acc. t = 10;
// Acc. v = 1;
// OleDbDataReader oda = acc. getOdd (OleDbType. VarChar );
// Repeater1.DataSource = oda;
// Repeater1.DataBind ();
The Code is as follows:
Function acc_ SQL (SQL, adotype, adodct, strlong, values)
Dim connstring, mycmd, myrs, conn
ConnString = "Provider = Microsoft. Jet. OLEDB.4.0; Data Source =" & Server. MapPath ("db1.mdb ")
Set conn = Server. CreateObject ("Adodb. Connection ")
Conn. ConnectionString = connString
Conn. open ()
Set mycmd = Server. CreateObject ("ADODB. Command ")
Mycmd. ActiveConnection = conn
Mycmd. CommandText = SQL
Mycmd. Prepared = true
Set mypar = mycmd. CreateParameter ("temp", adotype, adodct, strlong, values)
Mycmd. Parameters. Append mypar
Set myrs = mycmd. Execute
Set acc_ SQL = myrs
End function
'Call Method
'Dim rs
'SQL = "select * from users where id =? Order by id"
'Set rs = acc_ SQL (SQL, 3, 1, 4, 1)
'If not rs. eof then
'Response. Write (rs (1 ))
'End if