今天给了机器人的代码给 迷城浪子看,他说,缩写代码应该 习惯于反SQL注入的方式,具体是指用ADODB.Command,以下是一个例子:(不一定用储存过程)
在说明CreateParameter()函数的使用方法之前,大家先看一个例子:
SQL存储过程代码如下:
/*创建存储过程删除表里面指定歌手*/
use yqcm
if exists(select name from sysobjects
where name='del_singer' and type='p')
drop procedure del_singer
go
create procedure del_singer @UserName varchar(40)
as
delete from Singer where UserName=@UserName
go
use yqcm
if exists(select name from sysobjects
where name='del_singer' and type='p')
drop procedure del_singer
go
create procedure del_singer @UserName varchar(40)
as
delete from Singer where UserName=@UserName
go
网页asp代码如下:
<%
dim MyComm,UserName
UserName="UserName"'写入要删除歌手的用户名'
set MyComm=Server.CreateObject("ADODB.Command")
MyComm.ActiveConnection="MyCommStr"'MyConStr是数据库连接字符串'
MyComm.CommandText="del_singer"'指定存储过程'
MyComm.CommandType=4
MyComm.Prepared=True
MyComm.Parameters.append MyComm.CreateParameter("@UserName",200,1,40,UserName)
MyComm.Execute
Set MyComm = Nothing
dim MyComm,UserName
UserName="UserName"'写入要删除歌手的用户名'
set MyComm=Server.CreateObject("ADODB.Command")
MyComm.ActiveConnection="MyCommStr"'MyConStr是数据库连接字符串'
MyComm.CommandText="del_singer"'指定存储过程'
MyComm.CommandType=4
MyComm.Prepared=True
MyComm.Parameters.append MyComm.CreateParameter("@UserName",200,1,40,UserName)
MyComm.Execute
Set MyComm = Nothing
%>
备注:MyComm.CreateParameter("@UserName",200,1,40,UserName)
第一个参数("@UserName")为参数名。参数名可以任意设定,但一般应与存储过程中声明的参数名相同。
第一个参数("@UserName")为参数名。参数名可以任意设定,但一般应与存储过程中声明的参数名相同。
第二个参数(200),表明该参数的数据类型,具体的类型代码请参阅ADO参考,以下给出常用的类型代码:
adBigInt: 20 ;
adBinary : 128 ;
adBoolean: 11 ;
adChar: 129 ;
adDBTimeStamp: 135 ;
adEmpty: 0 ;
adInteger: 3 ;
adSmallInt: 2 ;
adTinyInt: 16 ;
adVarChar: 200 ;
!对于返回值,只能取整形,且-1到-99为保留值;
adBinary : 128 ;
adBoolean: 11 ;
adChar: 129 ;
adDBTimeStamp: 135 ;
adEmpty: 0 ;
adInteger: 3 ;
adSmallInt: 2 ;
adTinyInt: 16 ;
adVarChar: 200 ;
!对于返回值,只能取整形,且-1到-99为保留值;
第三个参数(1),表明参数的性质。此参数取值的说明如下:
0:类型无法确定;
1: 输入参数;
2: 输出参数;
3:输入或输出参数;
4: 返回值
第四个参数(40),数据的长度
第五个参数(UserName),参数值
需要特别注意的是:在声明参数时,顺序一定要与存储过程中定义的顺序相同,而且各参数的数据类型、长度也要与存储过程中定义的相同。
以下也是一个例子:
Public Sub UserActiveOnline()
Dim Actcome,SQl,Rs
Dim uip,StatsStr
Dim Cmd,Param
Set Cmd = Server.CreateObject("ADODB.Command")
If Not IsObject(Conn) Then ConnectionDatabase
Cmd.CommandType=&H0001
Set Cmd.ActiveConnection=conn
uip = UserTrueIP
StatsStr = Stats
StatsStr = Replace(StatsStr, "'", "")
StatsStr = Replace(StatsStr, Chr(0), "")
StatsStr = Replace(StatsStr, "--", "——")
StatsStr = Left(StatsStr, 250)
If UserID = 0 Then
Dim StatUserID
StatUserID = UserSession.documentElement.selectSingleNode("userinfo/@statuserid").text
SQL = "Select ID,Boardid From [Dv_Online] Where ID = ?"
Set Param=Cmd.CreateParameter("@Id" , 4, 1, 8, Ccur(StatUserID))
Cmd.Parameters.Append Param
Cmd.CommandText=sql
Set Rs=Cmd.Execute
If Rs.EOF Then
If IP_MAX>0 Then
If Onlineip(UserTrueIP) > IP_MAX Then
Session(CacheName & "UserID")=empty
Set Dvbbs=Nothing
Response.Status = "302 Object Moved"
Response.End
End If
End if
If CInt(Forum_Setting(36)) = 0 Then
Actcome = ""
Else
Actcome = address(uip)
End If
If Cls_IsSearch Then Exit Sub '不记录搜索引擎的客人 2004-8-30 Dv.Yz
SQL = "Insert Into [Dv_Online](ID,Username,Userclass,Ip,Startime,Lastimebk,Boardid,Browser,Stats,Usergroupid,Actcome,Userhidden,actforip) Values (?,'客人','客人',?," & SqlNowString & "," & SqlNowString & ",?,?,?,7,?,?,?)"
Set Cmd=Nothing
Set Cmd = Server.CreateObject("ADODB.Command")
Cmd.CommandType=&H0001
Cmd.CommandText=sql
Set Cmd.ActiveConnection=conn
Set Param=Cmd.CreateParameter("@Id" , 4, 1, 8, Ccur(StatUserID))
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@ip" , 202, 1, 40, UserTrueIP)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@boardid" , 3, 1, 4, boardid)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Browser" , 202, 1, 255, platform & "|" & Browser & version)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Stats" , 202, 1, 255, StatsStr)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Actcome" , 202, 1, 255, Actcome)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Userhidden" , 3, 1, 4, Userhidden)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@actforip" , 202, 1, 40, actforip&"")
Cmd.Parameters.Append Param
'更新缓存总在线数据
MyBoardOnline.Forum_Online=MyBoardOnline.Forum_Online+1
Name="Forum_Online"
value=MyBoardOnline.Forum_Online
Else
SQL = "Update [Dv_Online] Set Lastimebk = " & SqlNowString & ",Boardid = ?,Stats =? Where ID = ?"
Set Cmd=Nothing
Set Cmd = Server.CreateObject("ADODB.Command")
Cmd.CommandType=&H0001
Cmd.CommandText=sql
Set Cmd.ActiveConnection=conn
Set Param=Cmd.CreateParameter("@boardid" , 3, 1, 4, boardid)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Stats" , 202, 1, 255, StatsStr)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Id" , 3, 1, 4, Ccur(StatUserID))
Cmd.Parameters.Append Param
End If
Rs.Close
Set Rs = Nothing
Cmd.Execute
Else
SQL = "Select ID,Boardid From [DV_Online] Where UserID = ?"
Set Cmd=Nothing
Set Cmd = Server.CreateObject("ADODB.Command")
Cmd.CommandType=&H0001
Cmd.CommandText=sql
Set Param=Cmd.CreateParameter("@UserID" , 3, 1, 4,UserID)
Cmd.Parameters.Append Param
Set Cmd.ActiveConnection=conn
Set Rs=Cmd.Execute
If Rs.Eof And Rs.Bof Then
If CInt(forum_setting(36)) = 0 Then
Actcome = ""
Else
Actcome = address(uip)
End If
'SQL = "Insert Into [Dv_Online](ID,Username,Userclass,Ip,Startime,Lastimebk,Boardid,Browser,Stats,Usergroupid,Actcome,Userhidden,UserID,actforip) Values (" & Session.SessionID & ",'" & Membername & "','" & Memberclass & "','" & UserTrueIP & "'," & SqlNowString & "," & SqlNowString & "," & Boardid & ",'" & platform&"|"&Browser&version & "','" & StatsStr & "'," & UserGroupID & ",'" & Actcome & "'," & Userhidden & "," & UserID & ",'"& checkstr(actforip)&"')"
SQL = "Insert Into [Dv_Online](ID,Username,Userclass,Ip,Startime,Lastimebk,Boardid,Browser,Stats,Usergroupid,Actcome,Userhidden,UserID,actforip) Values (?,?,?,?," & SqlNowString & "," & SqlNowString & ",?,?,?,?,?,?,?,?)"
Set Cmd=Nothing
Set Cmd = Server.CreateObject("ADODB.Command")
Cmd.CommandType=&H0001
Cmd.CommandText=sql
Set Cmd.ActiveConnection=conn
Set Param=Cmd.CreateParameter("@Id" , 4, 1, 8, Session.SessionID)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Username" , 202, 1, 50, Membername)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Userclass" , 202, 1, 20, Memberclass)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@ip" , 202, 1, 40, UserTrueIP)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@boardid" , 3, 1, 4, boardid)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Browser" , 202, 1, 255, platform & "|" & Browser & version)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Stats" , 202, 1, 255, StatsStr)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Usergroupid" , 3, 1, 4, UserGroupID)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Actcome" , 202, 1, 255, Actcome)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Userhidden" , 3, 1, 4, Userhidden)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@UserId" , 3, 1, 4, UserID)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@actforip" , 202, 1, 40, actforip&"")
Cmd.Parameters.Append Param
'更新缓存总在线数据
MyBoardOnline.Forum_Online=MyBoardOnline.Forum_Online+1
Name="Forum_Online"
Dvbbs.value=MyBoardOnline.Forum_Online
'更新缓存总用户在线数据
MyBoardOnline.Forum_UserOnline=MyBoardOnline.Forum_UserOnline+1
Name="Forum_UserOnline"
value=MyBoardOnline.Forum_UserOnline
Else
SQL = "Update [Dv_Online] Set Lastimebk = " & SqlNowString & ",Boardid = ?,Stats = ? Where UserID = ?"
Set Cmd=Nothing
Set Cmd = Server.CreateObject("ADODB.Command")
Cmd.CommandType=&H0001
Cmd.CommandText=sql
Set Cmd.ActiveConnection=conn
Set Param=Cmd.CreateParameter("@boardid" , 3, 1, 4, boardid)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Stats" , 202, 1, 255, StatsStr)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@UserId" , 3, 1, 4, UserID)
Cmd.Parameters.Append Param
End If
Rs.Close
Set Rs = Nothing
Cmd.Execute
End If
'更新在线峰值
If CLng(MyBoardOnline.Forum_Online) > CLng(Maxonline) Then
Execute("update [Dv_setup] set Forum_Maxonline="&CLng(MyBoardOnline.Forum_Online)&",Forum_MaxonlineDate="& SqlNowString)
CacheData(5,0)=MyBoardOnline.Forum_Online
CacheData(6,0)=Now()
Name="setup"
value=CacheData
End If
Rem 删除超时用户
MyBoardOnline.OnlineQuery
End Sub
以下也是一个例子:
Public Sub UserActiveOnline()
Dim Actcome,SQl,Rs
Dim uip,StatsStr
Dim Cmd,Param
Set Cmd = Server.CreateObject("ADODB.Command")
If Not IsObject(Conn) Then ConnectionDatabase
Cmd.CommandType=&H0001
Set Cmd.ActiveConnection=conn
uip = UserTrueIP
StatsStr = Stats
StatsStr = Replace(StatsStr, "'", "")
StatsStr = Replace(StatsStr, Chr(0), "")
StatsStr = Replace(StatsStr, "--", "——")
StatsStr = Left(StatsStr, 250)
If UserID = 0 Then
Dim StatUserID
StatUserID = UserSession.documentElement.selectSingleNode("userinfo/@statuserid").text
SQL = "Select ID,Boardid From [Dv_Online] Where ID = ?"
Set Param=Cmd.CreateParameter("@Id" , 4, 1, 8, Ccur(StatUserID))
Cmd.Parameters.Append Param
Cmd.CommandText=sql
Set Rs=Cmd.Execute
If Rs.EOF Then
If IP_MAX>0 Then
If Onlineip(UserTrueIP) > IP_MAX Then
Session(CacheName & "UserID")=empty
Set Dvbbs=Nothing
Response.Status = "302 Object Moved"
Response.End
End If
End if
If CInt(Forum_Setting(36)) = 0 Then
Actcome = ""
Else
Actcome = address(uip)
End If
If Cls_IsSearch Then Exit Sub '不记录搜索引擎的客人 2004-8-30 Dv.Yz
SQL = "Insert Into [Dv_Online](ID,Username,Userclass,Ip,Startime,Lastimebk,Boardid,Browser,Stats,Usergroupid,Actcome,Userhidden,actforip) Values (?,'客人','客人',?," & SqlNowString & "," & SqlNowString & ",?,?,?,7,?,?,?)"
Set Cmd=Nothing
Set Cmd = Server.CreateObject("ADODB.Command")
Cmd.CommandType=&H0001
Cmd.CommandText=sql
Set Cmd.ActiveConnection=conn
Set Param=Cmd.CreateParameter("@Id" , 4, 1, 8, Ccur(StatUserID))
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@ip" , 202, 1, 40, UserTrueIP)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@boardid" , 3, 1, 4, boardid)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Browser" , 202, 1, 255, platform & "|" & Browser & version)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Stats" , 202, 1, 255, StatsStr)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Actcome" , 202, 1, 255, Actcome)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Userhidden" , 3, 1, 4, Userhidden)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@actforip" , 202, 1, 40, actforip&"")
Cmd.Parameters.Append Param
'更新缓存总在线数据
MyBoardOnline.Forum_Online=MyBoardOnline.Forum_Online+1
Name="Forum_Online"
value=MyBoardOnline.Forum_Online
Else
SQL = "Update [Dv_Online] Set Lastimebk = " & SqlNowString & ",Boardid = ?,Stats =? Where ID = ?"
Set Cmd=Nothing
Set Cmd = Server.CreateObject("ADODB.Command")
Cmd.CommandType=&H0001
Cmd.CommandText=sql
Set Cmd.ActiveConnection=conn
Set Param=Cmd.CreateParameter("@boardid" , 3, 1, 4, boardid)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Stats" , 202, 1, 255, StatsStr)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Id" , 3, 1, 4, Ccur(StatUserID))
Cmd.Parameters.Append Param
End If
Rs.Close
Set Rs = Nothing
Cmd.Execute
Else
SQL = "Select ID,Boardid From [DV_Online] Where UserID = ?"
Set Cmd=Nothing
Set Cmd = Server.CreateObject("ADODB.Command")
Cmd.CommandType=&H0001
Cmd.CommandText=sql
Set Param=Cmd.CreateParameter("@UserID" , 3, 1, 4,UserID)
Cmd.Parameters.Append Param
Set Cmd.ActiveConnection=conn
Set Rs=Cmd.Execute
If Rs.Eof And Rs.Bof Then
If CInt(forum_setting(36)) = 0 Then
Actcome = ""
Else
Actcome = address(uip)
End If
'SQL = "Insert Into [Dv_Online](ID,Username,Userclass,Ip,Startime,Lastimebk,Boardid,Browser,Stats,Usergroupid,Actcome,Userhidden,UserID,actforip) Values (" & Session.SessionID & ",'" & Membername & "','" & Memberclass & "','" & UserTrueIP & "'," & SqlNowString & "," & SqlNowString & "," & Boardid & ",'" & platform&"|"&Browser&version & "','" & StatsStr & "'," & UserGroupID & ",'" & Actcome & "'," & Userhidden & "," & UserID & ",'"& checkstr(actforip)&"')"
SQL = "Insert Into [Dv_Online](ID,Username,Userclass,Ip,Startime,Lastimebk,Boardid,Browser,Stats,Usergroupid,Actcome,Userhidden,UserID,actforip) Values (?,?,?,?," & SqlNowString & "," & SqlNowString & ",?,?,?,?,?,?,?,?)"
Set Cmd=Nothing
Set Cmd = Server.CreateObject("ADODB.Command")
Cmd.CommandType=&H0001
Cmd.CommandText=sql
Set Cmd.ActiveConnection=conn
Set Param=Cmd.CreateParameter("@Id" , 4, 1, 8, Session.SessionID)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Username" , 202, 1, 50, Membername)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Userclass" , 202, 1, 20, Memberclass)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@ip" , 202, 1, 40, UserTrueIP)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@boardid" , 3, 1, 4, boardid)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Browser" , 202, 1, 255, platform & "|" & Browser & version)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Stats" , 202, 1, 255, StatsStr)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Usergroupid" , 3, 1, 4, UserGroupID)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Actcome" , 202, 1, 255, Actcome)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Userhidden" , 3, 1, 4, Userhidden)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@UserId" , 3, 1, 4, UserID)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@actforip" , 202, 1, 40, actforip&"")
Cmd.Parameters.Append Param
'更新缓存总在线数据
MyBoardOnline.Forum_Online=MyBoardOnline.Forum_Online+1
Name="Forum_Online"
Dvbbs.value=MyBoardOnline.Forum_Online
'更新缓存总用户在线数据
MyBoardOnline.Forum_UserOnline=MyBoardOnline.Forum_UserOnline+1
Name="Forum_UserOnline"
value=MyBoardOnline.Forum_UserOnline
Else
SQL = "Update [Dv_Online] Set Lastimebk = " & SqlNowString & ",Boardid = ?,Stats = ? Where UserID = ?"
Set Cmd=Nothing
Set Cmd = Server.CreateObject("ADODB.Command")
Cmd.CommandType=&H0001
Cmd.CommandText=sql
Set Cmd.ActiveConnection=conn
Set Param=Cmd.CreateParameter("@boardid" , 3, 1, 4, boardid)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@Stats" , 202, 1, 255, StatsStr)
Cmd.Parameters.Append Param
Set Param=Cmd.CreateParameter("@UserId" , 3, 1, 4, UserID)
Cmd.Parameters.Append Param
End If
Rs.Close
Set Rs = Nothing
Cmd.Execute
End If
'更新在线峰值
If CLng(MyBoardOnline.Forum_Online) > CLng(Maxonline) Then
Execute("update [Dv_setup] set Forum_Maxonline="&CLng(MyBoardOnline.Forum_Online)&",Forum_MaxonlineDate="& SqlNowString)
CacheData(5,0)=MyBoardOnline.Forum_Online
CacheData(6,0)=Now()
Name="setup"
value=CacheData
End If
Rem 删除超时用户
MyBoardOnline.OnlineQuery
End Sub
