将以下更改为带条件的参数化查询
change the below to parameterized query With conditions
如何将以下更改为具有 if 条件的参数化查询...?我想使其成为参数化查询 qith 命令对象...
strQry="SELECT distinct EnrolID" &_
" FROM " & strview & " WHERE ProgramID=" &vP&_
" AND EnrolStatus = 'ZZY' AND CampusID=" &vC
if vW <> "" THEN
strQry=strQry + " AND WID like '%" &WID& "%'"
end if
if vBID<>0 THEN
strQry=strQry + " AND BID=" &vBID
end if
if vProgramID= "2" then
if vT<>0 THEN
strQry=strQry + " AND eid=" &vT
end if
if vYr<>0 THEN
strQry=strQry + " AND Year(A_Dt)=" &vY
end if
end if
strQry = strQry + " ORDER BY EN"
set objRS=createObject("ADODB.recordset")
obj.Open strQry, Conn
首先,您的基本查询未参数化。我在下面修复了这个问题,但是 如果你的 strview 变量是未经过滤的用户输入(而不是,例如,你声明的常量)那么你仍然很容易受到攻击SQL注入。也就是说:
Dim SQLCmd As New MySqlCommand
strQry="SELECT distinct EnrolID" &_
" FROM " & strview & " WHERE ProgramID = @ProgramID" &_
" AND EnrolStatus = 'ZZY' AND CampusID = @CampusID"
SQLCmd.Parameters.AddWithValue("@ProgramID", vP)
SQLCmd.Parameters.AddWithValue("@CampusID", vC)
If vW <> "" Then
strQry = strQry + " AND WID like @WID"
SQLCmd.Parameters.AddWithValue("@WID", "%" & WID & "%")
End If
If vBID <> 0 Then
strQry = strQry + " AND BID = @BID"
SQLCmd.Parameters.AddWithValue("@BID", vBID)
End If
If vProgramID = "2" Then
If vT <> 0 Then
strQry = strQry & " AND eid = @eID"
SQLCmd.Parameters.AddWithValue("@eID", vT)
End If
If vYr <> 0 Then
strQry = strQry& " AND Year(A_Dt) = @Year"
SQLCmd.Parameters.AddWithValue("@Year", vY)
End If
End If
strQry = strQry & " ORDER BY EN"
SQLCmd.CommandText = strQry
如何将以下更改为具有 if 条件的参数化查询...?我想使其成为参数化查询 qith 命令对象...
strQry="SELECT distinct EnrolID" &_
" FROM " & strview & " WHERE ProgramID=" &vP&_
" AND EnrolStatus = 'ZZY' AND CampusID=" &vC
if vW <> "" THEN
strQry=strQry + " AND WID like '%" &WID& "%'"
end if
if vBID<>0 THEN
strQry=strQry + " AND BID=" &vBID
end if
if vProgramID= "2" then
if vT<>0 THEN
strQry=strQry + " AND eid=" &vT
end if
if vYr<>0 THEN
strQry=strQry + " AND Year(A_Dt)=" &vY
end if
end if
strQry = strQry + " ORDER BY EN"
set objRS=createObject("ADODB.recordset")
obj.Open strQry, Conn
首先,您的基本查询未参数化。我在下面修复了这个问题,但是 如果你的 strview 变量是未经过滤的用户输入(而不是,例如,你声明的常量)那么你仍然很容易受到攻击SQL注入。也就是说:
Dim SQLCmd As New MySqlCommand
strQry="SELECT distinct EnrolID" &_
" FROM " & strview & " WHERE ProgramID = @ProgramID" &_
" AND EnrolStatus = 'ZZY' AND CampusID = @CampusID"
SQLCmd.Parameters.AddWithValue("@ProgramID", vP)
SQLCmd.Parameters.AddWithValue("@CampusID", vC)
If vW <> "" Then
strQry = strQry + " AND WID like @WID"
SQLCmd.Parameters.AddWithValue("@WID", "%" & WID & "%")
End If
If vBID <> 0 Then
strQry = strQry + " AND BID = @BID"
SQLCmd.Parameters.AddWithValue("@BID", vBID)
End If
If vProgramID = "2" Then
If vT <> 0 Then
strQry = strQry & " AND eid = @eID"
SQLCmd.Parameters.AddWithValue("@eID", vT)
End If
If vYr <> 0 Then
strQry = strQry& " AND Year(A_Dt) = @Year"
SQLCmd.Parameters.AddWithValue("@Year", vY)
End If
End If
strQry = strQry & " ORDER BY EN"
SQLCmd.CommandText = strQry