sql="select * from product where 1=1 "
if isdate(stime) and isdate(etime) then
stime=cdate(stime)
etime=cdate(etime)
sql=sql&"and jiaohuoqi > = '"&stime&"' and jiaohuoqi <= '"&etime&"' "
end if
if dingdanhao <> ""then
sql=sql&" and dingdanhao LIKE'%"&dingdanhao&"%'"
end if
if jianhao <> ""then
sql=sql&" and jianhao LIKE'%"&jianhao&"%'"
end if
if jianming <> ""then
sql=sql&" and jianming LIKE'%"&jianming&"%'"
end if if Request.querystring("select") ="已签收" then
sql=sql&"and qianshou = 1 " else
sql=sql&"and qianshou = 0 " end if
if Request.querystring("select2") ="全部" then
yes =2
end if
if Request.querystring("select2") ="未交货" then
sql=sql&"and yes = 0" end if
if Request.querystring("select2") ="已交货" then
sql=sql&"and yes = 1" end if
sql = sql&" order by jianhao asc,jiaohuoqi asc,dingdanhao asc "
Conn.Execute("exec pro_product '"&sql&"'")
这样传递参数时出错了,如果只是把sql="select * from product where 1=1 and yes=0 and qianshou=1 order by jianhao asc,jiaohuoqi asc,dingdanhao asc "就没有问题,不知道其他几个参数该如何写代码?
if isdate(stime) and isdate(etime) then
stime=cdate(stime)
etime=cdate(etime)
sql=sql&"and jiaohuoqi > = '"&stime&"' and jiaohuoqi <= '"&etime&"' "
end if
if dingdanhao <> ""then
sql=sql&" and dingdanhao LIKE'%"&dingdanhao&"%'"
end if
if jianhao <> ""then
sql=sql&" and jianhao LIKE'%"&jianhao&"%'"
end if
if jianming <> ""then
sql=sql&" and jianming LIKE'%"&jianming&"%'"
end if if Request.querystring("select") ="已签收" then
sql=sql&"and qianshou = 1 " else
sql=sql&"and qianshou = 0 " end if
if Request.querystring("select2") ="全部" then
yes =2
end if
if Request.querystring("select2") ="未交货" then
sql=sql&"and yes = 0" end if
if Request.querystring("select2") ="已交货" then
sql=sql&"and yes = 1" end if
sql = sql&" order by jianhao asc,jiaohuoqi asc,dingdanhao asc "
Conn.Execute("exec pro_product '"&sql&"'")
这样传递参数时出错了,如果只是把sql="select * from product where 1=1 and yes=0 and qianshou=1 order by jianhao asc,jiaohuoqi asc,dingdanhao asc "就没有问题,不知道其他几个参数该如何写代码?
Conn.Execute("exec pro_product '"&sql&"'")
改成
Conn.Execute("exec pro_product '" & replace(sql,"'","''") & "'")