现在我有一个问题与"LIKE"字符串SQL在VB6。我想防止SQL注入。下面是我的代码:
sqlText= "Select *"
sqlText = sqlText & " From MyStudent"
sqlText = sqlText & " Where Name LIKE ?"
Set dbRec = new ADODB.RecordSet
Set dbCmd = new ADODB.Command
With dbCmd
.ActiveConnection = dbCon
.CommandType = adCmdText
.CommandText = SqlText
End with
dbCmd.Parameters.Append dbCmd.CreateParameter("PNMKM", adVarChar, adParamInput, 20)
dbCmd.Parameters("PNMKM").Value = "'%" & Trim$(inpNMKM.Text) & "%'"
它不可能不运行。帮助我,非常感谢
试着运行下面的代码:
sqlText= "Select *"
sqlText = sqlText & " From MyStudent"
sqlText = sqlText & " Where Name LIKE CONCAT('%', ? ,'%')"
Set dbRec = new ADODB.RecordSet
Set dbCmd = new ADODB.Command
With dbCmd
.ActiveConnection = dbCon
.CommandType = adCmdText
.CommandText = SqlText
End with
dbCmd.Parameters.Append dbCmd.CreateParameter("PNMKM", adVarChar, adParamInput, 20)
dbCmd.Parameters("PNMKM").Value = Trim$(inpNMKM.Text)
在SQL中使用CONCAT函数而不是在addParameter上添加%符号