Question

ASP中的SQL语句如何使用参数向数据库中写入数据?

下边这个是我ASP程序中SQL语句，用参数的方法该写成什么样子？
Conn_Obj.Execute("Insert Into [BBS] ([Show], [Arid], [Author], [Title], [Content], [DateTime]) Values(True, '主题', '" & Author & "', '" & Title & "', '" & Content & "', '" & Now() & "')")

我主要是想防SQL注入，不想用防注入类之类的东西，我觉得还是用参数的方法比较好，请高手指点。
注意！我要求用参数的方法来解决问题，无满意答案问题将直接关闭。
我记得SQL语句中应该用到“@”，而不是用“Replace”函数。还有楼下两位都搞个循环，当有文本长度很大的时候不怕服务器死机是不？

Answer 1

我理解你的需求，很可惜，ASP 不支持 @ 添加参数的方法。
不过，你可以使用 Recordset 对象的 AddNew 方法，能完美的满足你的需求。
不过你为什么不用 .net 平台呢？.net 还可以实现类型化的数据添加，更安全方便。
如果一定要用 asp，还可以参考一下微软的 DNA 架构一书（最好有自己的主机）。

说正题，针对你的 Insert（SQL）语句，以下是微软官方的 Recordset 对象的 AddNew 方法的示例代码：

AddNew 方法范例 (VBScript)

本范例使用 AddNew 方法来创建具有指定名称的新记录。

在 Active Server Page (ASP) 中使用下列范例。要查看此完整功能范例，C:\mssdk\samples\dataaccess\rds 处必须存在数据源 AdvWorks.mdb（与 SDK 一起安装）。这是 Microsoft Access 数据库文件。

使用 Find 定位文件 Adovbs.inc，并将其放到计划使用的目录中。请将下列代码剪切并粘贴到记事本或其他文本编辑器中，并将其另存为 AddNew.asp。可以在任何客户端浏览器中查看结果。

要执行本范例，请在 HTML 表中添加虚构的新记录。单击“Add New”。要删除不需要的记录，请参阅 Delete 方法范例。

<%@Language = VBScript %>
<!-- #Include file="ADOVBS.INC" -->
<HTML>
<HEAD>
<TITLE>ADO Open Method</TITLE>
<STYLE>
<!--
TH {
background-color: #008080;
font-family: 'Arial Narrow','Arial',sans-serif;
font-size: xx-small;
color: white;
}
TD {
text-align: center;
background-color: #f7efde;
font-family: 'Arial Narrow','Arial',sans-serif;
font-size: xx-small;
}
-->
</STYLE>
</HEAD>
<BODY>
<FONT FACE="MS SANS SERIF" SIZE=2>
<Center><H3>ADO AddNew Method</H3>
<!-- ADO Connection Object used to create recordset-->
<%
src = "C:\mssdk\samples\dataaccess\rds\advworks.mdb"
sConnStr = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & src
'Create and Open Connection Object
Set OBJdbConn = Server.CreateObject("ADODB.Connection")
OBJdbConn.Open sConnStr
'Create and Open Recordset Object
Set RsCustomerList = Server.CreateObject("ADODB.Recordset")
RsCustomerList.ActiveConnection = OBJdbConn
RsCustomerList.CursorType = adOpenKeyset
RsCustomerList.LockType = adLockOptimistic
RsCustomerList.Source = "Customers"
RsCustomerList.Open
%>
<!—
If this is first time page is open, Form collection will be empty when data is entered.
run AddNew method
-->
<% If Not IsEmpty(Request.Form) Then
If Not Request.Form("CompanyName") = "" Then
RsCustomerList.AddNew
RsCustomerList("CompanyName") = Request.Form("CompanyName")
RsCustomerList("ContactLastName") = Request.Form("LastName")
RsCustomerList("ContactFirstName") = Request.Form("FirstName")
RsCustomerList("PhoneNumber") = Request.Form("PhoneNumber")
RsCustomerList("City") = Request.Form("City")
RsCustomerList("StateOrProvince") = Request.Form("State")
RsCustomerList.Update
RsCustomerList.MoveFirst
End If
End If
%>

<TABLE COLSPAN=8 CELLPADDING=5 BORDER=0>

<!-- BEGIN column header row for Customer Table-->

<TR>
<TD>Company Name</TD>
<TD>Contact Name</TD>
<TD>Phone Number</TD>
<TD>City</TD>
<TD>State/Province</TD>
</TR>
<!--Display ADO Data from Customer Table
one row on each pass through recordset-->
<% Do While Not RsCustomerList.EOF %>
<TR>
<TD> <%= RSCustomerList("CompanyName")%> </TD>
<TD> <%= RScustomerList("ContactLastName") & ", " %>
<%= RScustomerList("ContactFirstName") %> </TD>
<TD> <%= RScustomerList("PhoneNumber")%> </TD>
<TD> <%= RScustomerList("City")%> </TD>
<TD> <%= RScustomerList("StateOrProvince")%> </TD>
</TR>
<!-- Next Row = Record Loop and add to row html table-->
<%
RScustomerList.MoveNext
Loop
%>
</TABLE>
<HR>
<!-- Form to enter new record posts variables back to this page -->
<Form Method=Post Action="AddNew.asp" Name=Form>
<TABLE>
<TR>
<TD>Company Name:</TD>
<TD><Input Type="Text" Size="50" Name="CompanyName" Value = ""></TD>
<TR>
<TD>Contact First Name:</TD>
<TD><Input Type="Text" Size="50" Name="FirstName" Value = ""></TD>
<TR>
<TD>Contact Last Name:</TD>
<TD><Input Type="Text" Size="50" Name="LastName" Value = ""></TD>
<TR>
<TD>Contact Phone:</TD>
<TD><Input Type="Text" Size="50" Name="PhoneNumber" Value = ""></TD>
<TR>
<TD>City:</TD>
<TD><Input Type="Text" Size="50" Name="City" Value = ""></TD>
<TR>
<TD>State / Province:</TD>
<TD><Input Type="Text" Size="5" Name="State" Value = ""></TD>
<TR>
<TD><Input Type="Submit" Value="Add New">
<Input Type="Reset" Value="Reset Form">
</TABLE>
</Form>
<%'Show location of data source
Response.Write(OBJdbConn)
%>
<Script Language = "VBScript">
Sub Form_OnSubmit
MsgBox "Sending New Record to Server",,"ADO-ASP _Example"
End Sub
</Script>
</BODY>
</HTML>

Answer 2

存储过程能实现你的要求。
不过最简单的如 ：
Author =replace(trim(request("Author "))),"'","''")
还可以用函数：
Const C_SqlStr="',count,user,User,Count,1=1,and,2=2" '需要过滤的字符串序列，每个字符串之间用“,”分隔

Dim Reader

Function R_Reader(R_Str,F_Str)
Dim i

If R_Str="" Or F_Str="" Then
Exit Function
End If

Reader=Split(R_Str,F_Str)

For i=0 To Ubound(Reader,1)
Reader(i)=Cstr(Trim(Reader(i)))
Next
R_Reader=Ubound(Reader,1)
End Function

Function S_Request(S_Str)
Dim Temp,i
If S_Str="" Then
Exit Function
End If

Temp=Request(S_Str)
For i=0 To R_Reader(C_SqlStr,",")
Temp=Replace(Temp,CStr(Reader(i)),"")
Next
Temp=Replace(Temp,Chr(34),"")
S_Request=Cstr(Trim(Temp))
Erase Reader
End Function

用法：

原来的例如这样的语句：

Author =request("Author ")

现在写成：

Author =S_Request("Author ")

即可实现非法字符串过滤。

Answer 3

Author =replace(trim(request("Author "))),"'","''")
还可以用函数：
Const C_SqlStr="',count,user,User,Count,1=1,and,2=2" '需要过滤的字符串序列，每个字符串之间用“,”分隔

Dim Reader

Function R_Reader(R_Str,F_Str)
Dim i

If R_Str="" Or F_Str="" Then
Exit Function
End If

Reader=Split(R_Str,F_Str)

For i=0 To Ubound(Reader,1)
Reader(i)=Cstr(Trim(Reader(i)))
Next
R_Reader=Ubound(Reader,1)
End Function

Function S_Request(S_Str)
Dim Temp,i
If S_Str="" Then
Exit Function
End If

Temp=Request(S_Str)
For i=0 To R_Reader(C_SqlStr,",")
Temp=Replace(Temp,CStr(Reader(i)),"")
Next
Temp=Replace(Temp,Chr(34),"")
S_Request=Cstr(Trim(Temp))
Erase Reader
End Function

用法：

原来的例如这样的语句：

Author =request("Author ")