ACCESS的参数化查询
摘要:ACCESS的参数化查询
ACCESS的参数化查询
最近因名目需求用ACCESS做数据库开发WEB名目看论坛上还许多人问及ACCESS被注入的平安成绩许多人处理的方法仍然是用Replace交流特殊字符,但是这样做也并没有起到太大做用.今天我就把我用ACCESS参数化查询的一些方法和阅历和大家分享,宿愿对大家有所启示,有写的不对的中央宿愿高手们多多指教
ASP.NET 用OleDbCommand的new OleDbParameter创建参数货查询
ASP用Command的CreateParameter 方法创建参数化查询
(SQL贮存过程查询也是用这个方法建设的)
ASP.NETC#语法:
OleDbParameter parm = new OleDbParameter(Name, Type, Direction, Size, Value);
(实践上它有七重载大家详细大家可能在VS.net里面就可能看到)
参数
Name可选,字符串,代表 Parameter 对象称号。
Type可选,长整型值,指定 Parameter 对象数据类型。
Direction 可选,长整型值,指定 Parameter 对象类型。。
Size可选,长整型值,指定参数值最大长度(以字符或字节数为单位)。
Value 可选,变体型,指定 Parameter 对象的值。
以下是实例,查询news表中一切tsing发表的旧事
-------------------------------------------------------
sql="select * from newss where username=? order by id"
//留意查询的条件均用?号示意
OleDbConnection conn = new OleDbConnection(connString);
OleDbCommand cmd = new OleDbCommand(sql,conn);
OleDbParameter parm = new OleDbParameter("temp",OleDbType.VarChar, 50);
//temp为Parameter对象可随意定义,OleDbType.VarChar指定为字符串,长度50
parm.Direction = ParameterDirection.Input;
//指定其类型输入参数
cmd.Parameters.Add(parm);
cmd.Parameters["temp"].Value = "tsing";
//查询tsing,也可能写成cmd.Parameters[0]
conn.Open();
cmd.ExecuteReader();
ASP VBSCRIPT语法
Set parameter = command.CreateParameter (Name, Type, Direction, Size, Value)
参数同上
以下是实例,查询news表中一切tsing发表的旧事
------------------------------------------------------
et conn = Server.CreateObject("Adodb.Connection")
conn.ConnectionString = connString
conn.open()
set mycmd = Server.CreateObject("ADODB.Command")
mycmd.ActiveConnection=conn
mycmd.CommandText=sql
mycmd.Prepared = true
set mypar = mycmd.CreateParameter("temp",129,1,50,"tsing")
mycmd.Parameters.Append mypar
set myrs = mycmd.Execute
与上面根本相反不同的中央法是asp在对参数的表达上面不同
129为adChar,1就是批示输入参数(是其实是默许值)
大家请参阅MICROSOFT的ADOVB.Inc:
’---- ParameterDirectionEnum Values ----
Const adParamUnknown = 0
Const adParamInput = 1
Const adParamOutput = 2
Const adParamInputOutput = 3
Const adParamReturnValue = 4
’---- DataTypeEnum Values ----
Const adEmpty = 0
Const adTinyInt = 16
Const adSmallInt = 2
Const adInteger = 3
Const adBigInt = 20
Const adUnsignedTinyInt = 17
Const adUnsignedSmallInt = 18
Const adUnsignedInt = 19
Const adUnsignedBigInt = 21
Const adSingle = 4
Const adDouble = 5
Const adCurrency = 6
Const adDecimal = 14
Const adNumeric = 131
Const adBoolean = 11
Const adError = 10
Const adUserDefined = 132
Const adVariant = 12
Const adIDispatch = 9
Const adIUnknown = 13
Const adGUID = 72
Const adDate = 7
Const adDBDate = 133
Const adDBTime = 134
Const adDBTimeStamp = 135
Const adBSTR = 8
Const adChar = 129
Const adVarChar = 200
Const adLongVarChar = 201
Const adWChar = 130
Const adVarWChar = 202
Const adLongVarWChar = 203
Const adBinary = 128
Const adVarBinary = 204
Const adLongVarBinary = 205
ASP.NET 用OleDbCommand的new OleDbParameter创建参数货查询
ASP用Command的CreateParameter 方法创建参数化查询
(SQL贮存过程查询也是用这个方法建设的)
ASP.NETC#语法:
OleDbParameter parm = new OleDbParameter(Name, Type, Direction, Size, Value);
(实践上它有七重载大家详细大家可能在VS.net里面就可能看到)
参数
Name可选,字符串,代表 Parameter 对象称号。
Type可选,长整型值,指定 Parameter 对象数据类型。
Direction 可选,长整型值,指定 Parameter 对象类型。。
Size可选,长整型值,指定参数值最大长度(以字符或字节数为单位)。
Value 可选,变体型,指定 Parameter 对象的值。
以下是实例,查询news表中一切tsing发表的旧事
-------------------------------------------------------
sql="select * from newss where username=? order by id"
//留意查询的条件均用?号示意
OleDbConnection conn = new OleDbConnection(connString);
OleDbCommand cmd = new OleDbCommand(sql,conn);
OleDbParameter parm = new OleDbParameter("temp",OleDbType.VarChar, 50);
//temp为Parameter对象可随意定义,OleDbType.VarChar指定为字符串,长度50
parm.Direction = ParameterDirection.Input;
//指定其类型输入参数
cmd.Parameters.Add(parm);
cmd.Parameters["temp"].Value = "tsing";
//查询tsing,也可能写成cmd.Parameters[0]
conn.Open();
cmd.ExecuteReader();
ASP VBSCRIPT语法
Set parameter = command.CreateParameter (Name, Type, Direction, Size, Value)
参数同上
以下是实例,查询news表中一切tsing发表的旧事
------------------------------------------------------
et conn = Server.CreateObject("Adodb.Connection")
conn.ConnectionString = connString
conn.open()
set mycmd = Server.CreateObject("ADODB.Command")
mycmd.ActiveConnection=conn
mycmd.CommandText=sql
mycmd.Prepared = true
set mypar = mycmd.CreateParameter("temp",129,1,50,"tsing")
mycmd.Parameters.Append mypar
set myrs = mycmd.Execute
与上面根本相反不同的中央法是asp在对参数的表达上面不同
129为adChar,1就是批示输入参数(是其实是默许值)
大家请参阅MICROSOFT的ADOVB.Inc:
’---- ParameterDirectionEnum Values ----
Const adParamUnknown = 0
Const adParamInput = 1
Const adParamOutput = 2
Const adParamInputOutput = 3
Const adParamReturnValue = 4
’---- DataTypeEnum Values ----
Const adEmpty = 0
Const adTinyInt = 16
Const adSmallInt = 2
Const adInteger = 3
Const adBigInt = 20
Const adUnsignedTinyInt = 17
Const adUnsignedSmallInt = 18
Const adUnsignedInt = 19
Const adUnsignedBigInt = 21
Const adSingle = 4
Const adDouble = 5
Const adCurrency = 6
Const adDecimal = 14
Const adNumeric = 131
Const adBoolean = 11
Const adError = 10
Const adUserDefined = 132
Const adVariant = 12
Const adIDispatch = 9
Const adIUnknown = 13
Const adGUID = 72
Const adDate = 7
Const adDBDate = 133
Const adDBTime = 134
Const adDBTimeStamp = 135
Const adBSTR = 8
Const adChar = 129
Const adVarChar = 200
Const adLongVarChar = 201
Const adWChar = 130
Const adVarWChar = 202
Const adLongVarWChar = 203
Const adBinary = 128
Const adVarBinary = 204
Const adLongVarBinary = 205
![[最佳方案]删除SQLServer数据库中所有](/images/defaultpic.gif)
