Ale*_*nor 9 sql vbscript sql-injection adodb asp-classic
有什么办法来设置CursorType为ADODB.RecordSet我从获得ADODB.Command.Execute?
我知道如果我这样做有可能:
rs = Server.CreateObject("ADODB.RecordSet")
rs.Open(cmd)
不过,我目前使用Command.Execute与Parameters参数,自动处理的变型阵列?安全插补参数.因此使用RecordSet.Open似乎不是一种选择.
具体来说,我的代码目前看起来像:
function ExecuteSQL(conn, sql, args)
set ExecuteSQL_CmdObj = Server.CreateObject("ADODB.Command")
ExecuteSQL_CmdObj.CommandType = adCmdText
ExecuteSQL_CmdObj.CommandText = sql
ExecuteSQL_CmdObj.ActiveConnection = conn
if Ubound(args) = -1 then
set ExecuteSQL = ExecuteSQL_CmdObj.Execute
else
set ExecuteSQL = ExecuteSQL_CmdObj.Execute(,args)
end if
end function
如果我想维护这个相同的API,还要控制CursorType,如何实现呢?
据我所知,答案是,使用 是不可能的,但使用ADODB.Command.Execute是可能的:ADODB.RecordSet.OpenADODB.Command.Parameters
function CreateSQLParameter(arg)
set param = Server.CreateObject("ADODB.Parameter")
select TypeName(arg)
case "String"
param.Type = adVarChar
param.Size = Len(CStr(arg))
param.Value = CStr(arg)
case "Integer"
param.Type = adInteger
param.Value = CLng(arg)
case "Double"
param.Type = adDouble
param.Value = CDbl(arg)
case else
' 13 is the "Type Mismatch" error code
Err.Raise(13,,, "Type '" & TypeName(arg) "' is not handled. Please add support for it to CreateSQLParameter")
end select
set CreateSQLParameter = param
end function
function CreateSQLCommand(sql, args)
set cmd = Server.CreateObject("ADODB.Command")
'From http://www.w3schools.com/asp/prop_comm_commandtype.asp.
'adCmdText is for some reason undefined in our scope.
cmd.CommandType = 1
cmd.CommandText = sql
for i = Lbound(args) to Ubound(args)
set param = CreateSQLParameter(args(i))
cmd.Parameters.Append(param)
next
set CreateSQLCommand = cmd
end function
function ExecuteSQL(conn, sql, args)
set cmd = CreateSQLCommand(sql, args)
set rs = Server.CreateObject("ADODB.RecordSet")
rs.Open(cmd, conn)
set ExecuteSQL = rs
end function