如何将以下内容更改为具有 if 条件的参数化查询...?我想将其更改为参数化查询 qith 命令对象...
strQry="SELECT distinct EnrolID" &_
" FROM " & strview & " WHERE ProgramID=" &vP&_
" AND EnrolStatus = 'ZZY' AND CampusID=" &vC
if vW <> "" THEN
strQry=strQry + " AND WID like '%" &WID& "%'"
end if
if vBID<>0 THEN
strQry=strQry + " AND BID=" &vBID
end if
if vProgramID= "2" then
if vT<>0 THEN
strQry=strQry + " AND eid=" &vT
end if
if vYr<>0 THEN
strQry=strQry + " AND Year(A_Dt)=" &vY
end if
end if
strQry = strQry + " ORDER BY EN"
set objRS=createObject("ADODB.recordset")
obj.Open strQry, Conn
最佳答案
首先,您的基本查询没有参数化。我已经在下面修复了这个问题,但是如果您的 strview 变量是未经净化的用户输入(而不是您声明的常量)那么您仍然很容易受到 SQL 注入(inject)的攻击。</strong>强>也就是说:
Dim SQLCmd As New MySqlCommand
strQry="SELECT distinct EnrolID" &_
" FROM " & strview & " WHERE ProgramID = @ProgramID" &_
" AND EnrolStatus = 'ZZY' AND CampusID = @CampusID"
SQLCmd.Parameters.AddWithValue("@ProgramID", vP)
SQLCmd.Parameters.AddWithValue("@CampusID", vC)
If vW <> "" Then
strQry = strQry + " AND WID like @WID"
SQLCmd.Parameters.AddWithValue("@WID", "%" & WID & "%")
End If
If vBID <> 0 Then
strQry = strQry + " AND BID = @BID"
SQLCmd.Parameters.AddWithValue("@BID", vBID)
End If
If vProgramID = "2" Then
If vT <> 0 Then
strQry = strQry & " AND eid = @eID"
SQLCmd.Parameters.AddWithValue("@eID", vT)
End If
If vYr <> 0 Then
strQry = strQry& " AND Year(A_Dt) = @Year"
SQLCmd.Parameters.AddWithValue("@Year", vY)
End If
End If
strQry = strQry & " ORDER BY EN"
SQLCmd.CommandText = strQry
关于mysql - 将以下内容更改为带条件的参数化查询,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/30480766/