最近因项目需要用ACCESS做数据库开发WEB项目
看论坛上还许多人问及ACCESS被注入的安全问题,许多人解决的方法仍然是用Replace替换特殊字符,然而这样做也并没有起到太大作用。
今天我就把我用ACCESS参数化查询的一些方法和经验和大家分享,希望对大家有所启发,
有写的不对的地方希望高手们多多指教
ASP.NET 用OleDbCommand的new OleDbParameter创建参数货查询 ASP用Command的CreateParameter 方法创建参数化查询
(SQL储存过程查询也是用这个方法建立的)
ASP.NET C#语法
OleDbParameter parm = new OleDbParameter(Name, Type, Direction, Size, Value);
(实际上它有七重载大家具体大家可以在VS.net里面就可以看到)
参数
Name 可选,字符串,代表 Parameter 对象名称。
Type 可选,长整型值,指定 Parameter 对象数据类型。
Direction 可选,长整型值,指定 Parameter 对象类型。
Size 可选,长整型值,指定参数值最大长度(以字符或字节数为单位)。
Value 可选,变体型,指定 Parameter 对象的值。
以下是实例,查询news表中所有tsing发表的新闻
-------------------------------------------------------
sql=”select * from newss where username=? order by id“ //注意查询的条件均用?号表示
OleDbConnection conn = new
OleDbConnection(connString);
OleDbCommand cmd = new OleDbCommand(sql,conn);
OleDbParameter parm = new
OleDbParameter(”temp”,OleDbType.VarChar, 50); //temp为Parameter对象可随便定义,OleDbType.VarChar指定为字符串,长度50 parm.Direction = ParameterDirection.Input; //指定其类型输入参数 cmd.Parameters.Add(parm); c
md.Parameters[”temp”].Value = ”tsing”; //查询tsing,也可以写成cmd.Parameters[0] conn.Open();
cmd.ExecuteReader();
ASP VBSCRIPT语法 Set parameter = command.CreateParameter (Name, Type, Direction, Size, Value)
参数同上 以下是实例,查询news表中所有tsing发表的新闻
------------------------------------------------------
et conn = Server.CreateObject(”Adodb.Connection“)
conn.ConnectionString = connString conn.open()
set mycmd = Server.CreateObject(”ADODB.Command“)
mycmd.ActiveConnection=conn
mycmd.CommandText=sql
mycmd.Prepared = true
set mypar = mycmd.CreateParameter(“temp“,129,1,50,“tsing“)
mycmd.Parameters.Append mypar
set myrs = mycmd.Execute
与上面基本相同不同的地方法是asp在对参数的表达上面不同 129为adChar,1就是指示输入参数(是其实是默认值)
大家请参阅MICROSOFT的ADOVB.Inc:
“ParameterDirectionEnum Values ----
Const adParamUnknown = 0
Const adParamInput = 1
Const adParamOutput = 2
Const adParamInputOutput = 3
Const adParamReturnValue = 4 “
---- DataTypeEnum Values
---- Const adEmpty = 0
Const adTinyInt = 16
Const adSmallInt = 2
Const adInteger = 3
Const adBigInt = 20
Const adUnsignedTinyInt = 17
Const adUnsignedSmallInt = 18
Const adUnsignedInt = 19
Const adUnsignedBigInt = 21
Const adSingle = 4
Const adDouble = 5
Const adCurrency = 6
Const adDecimal = 14
Const adNumeric = 131
Const adBoolean = 11
Const adError = 10
Const adUserDefined = 132
Const adVariant = 12
Const adIDispatch = 9
Const adIUnknown = 13
Const adGUID = 72
Const adDate = 7
Const adDBDate = 133
Const adDBTime = 134
Const adDBTimeStamp = 135
Const adBSTR = 8
Const adChar = 129
Const adVarChar = 200
Const adLongVarChar = 201
Const adWChar = 130
Const adVarWChar = 202
Const adLongVarWChar = 203
Const adBinary = 128
Const adVarBinary = 204
Const adLongVarBinary = 205
附我写的C#类,和VBSCRIPT函数,
希望对大家有帮助
using System; using System.Data;
using System.Configuration;
using System.Web;
using System.Data.OleDb;
namespace acc_select { ///
/// accselect 的摘要说明 ///
public class accselect
{//“Provider=Microsoft.Jet.OLEDB.4.0; Data Source=d:\dq\db1.mdb“ private string
conn = ConfigurationManager.ConnectionStrings[“tsingConnectionString“].ToString();
public string sql = string.Empty; public int t = 4; public object v = null; public accselect() { } ///
/// 构造函数,传递ACC参数查询语句 ///
///
strsql字符型 public accselect(string strsql) { sql = strsql; } ///
/// 构造函数,传递ACC参数查询语句 ///
///
参数查询语句 ///
字节数 public accselect(string strsql, int total) { sql = strsql; t = total; } ///
/// 构造函数 ///
///
参数查询语句 ///
字节数 ///
OBJECT值
public accselect(string strsql, int total, object value) { sql = strsql; t = total; v = value; } ///
/// getOdd方法返回OleDbDataReader ///
///
定义OleDbType类型 ///
public OleDbDataReader
getOdd(OleDbType odt)
{
OleDbConnection conns = new OleDbConnection(this.conn);
OleDbCommand cmd = new OleDbCommand(this.sql, conns);
OleDbParameter parm = new OleDbParameter(”temp”, odt, this.t);
parm.Direction = ParameterDirection.Input;
cmd.Parameters.Add(parm);
cmd.Parameters[0].Value = this.v;
conns.Open();
OleDbDataReader oda = cmd.ExecuteReader();
cmd.Dispose();
return oda;
}
string Sql { get { return sql; } set { sql = value; } }
int T { get { return t; } set { t = value; } }
object V { get { return v; } set { v = value; } }
}
}
//调用方法
//accselect acc = new accselect();
//acc.sql = “select * from dtt where d_id=?“;
//acc.t = 10;
//acc.v = 1;
//OleDbDataReader oda = acc.getOdd(OleDbType.VarChar);
//Repeater1.DataSource = oda;
//Repeater1.DataBind();
function acc_sql(sql,adotype,adodct,strlong,values)
dim connstring,mycmd,myrs,
conn connString=“Provider=Microsoft.Jet.OLEDB.4.0; Data Source=” & Server.MapPath(“db1.mdb“)
set conn = Server.CreateObject(“Adodb.Connection“) conn.ConnectionString = connString
conn.open() set mycmd = Server.CreateObject(“ADODB.Command“)
mycmd.ActiveConnection=conn mycmd.CommandText=sql
mycmd.Prepared = true
set mypar = mycmd.CreateParameter(“temp“,adotype,adodct,strlong,values)
mycmd.Parameters.Append mypar
set myrs = mycmd.Execute set acc_sql=myrs
end function “调用方法 “
dim rs sql=“select * from users where id=? order by id“
set rs=acc_sql(sql,3,1,4,1)
if not rs.eof
then response.Write(rs(1))
end if
