1. 首頁
  2. 問答
  3. 如何在Vb 2010中使用SQL中的參數(Web開發人員)

如何在Vb 2010中使用SQL中的參數(Web開發人員)

2012-11-17 33 views
0

我正在努力解決SQL中的代碼VB但我遇到問題我有一個簡單的數據庫與表管理員UserNamePassword列。如何在Vb 2010中使用SQL中的參數(Web開發人員)

我希望能夠從文本框中讀取數據,然後將其輸入到一個SQL字符串中… SQL字符串的工作原理(我測試了它),我可以用簡單的SELECT語句得到它,但我似乎無法讓SQL讀取我的參數。

幫助?

Protected Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click 
    Call Password_Check(txtTestInput.Text) 
End Sub 

Public Sub Password_Check(ByVal Answer As String) 

    Dim con As New SqlConnection 
    Dim cmd As New SqlCommand 
    Dim parameter As New SqlParameter("@Username", Answer) 
    Try 

     con.ConnectionString = System.Configuration.ConfigurationManager.ConnectionStrings("Database1ConnectionString1").ConnectionString 
     con.Open() 
     cmd.Connection = con 
     cmd.CommandText = " SELECT Password FROM Admin WHERE (UserName = @Username)" 
     cmd.Parameters.Add(parameter) 
     Dim lrd As SqlDataReader = cmd.ExecuteReader() 

     While lrd.Read() 
      Dim sothing As String 

      sothing = lrd("Password").ToString 
      If lrd("Password").ToString = txtPassword.Text Then 
       lblTestData.Text = "passwordSuccess" 
      ElseIf lrd("Password").ToString <> txtPassword.Text Then 
       lblTestData.Text = "passwordFail...:(" 
      End If 
     End While 

    Catch ex As Exception 
     lblTestData.Text = "Error while retrieving records on table..." & ex.Message 
    Finally 
     con.Close() 
    End Try 

End Sub

來源

2012-11-17 Will Peckham

+0

它是否進入While lrd.Read()Loop,如果是這樣的話lrd(「Password」)的值是什麼?ToString – PatFromCanada

+0

你似乎無法讓SQL讀取你的參數,那麼它看起來如何其實呢?拋出的異常? – deerchao

回答

0
在你的代碼上面

: - >Dim parameter As New SqlParameter("@Username", Answer)

我可以建議兩個選項:

Dim parameter As New SqlParameter("@Username", sqldbtype.nvarchar) 

parameter.value = Answer 


cmd.CommandText = string.format("SELECT Password FROM Admin WHERE (UserName = {0})", Answer)

全碼:

Public Sub Password_Check(ByVal Answer As String) 

    Dim con As New SqlConnection 
    Dim cmd As New SqlCommand 
    Dim parameter As New SqlParameter("@Username", SqlDbType.NVarChar) 
    parameter.Value = Answer 
    Try 

     con.ConnectionString = System.Configuration.ConfigurationManager.ConnectionStrings("Database1ConnectionString1").ConnectionString 
     con.Open() 
     cmd.Connection = con 
     cmd.CommandText = "SELECT Password FROM Admin WHERE (UserName = @Username)" 
     cmd.Parameters.Add(parameter) 
     Dim lrd As SqlDataReader = cmd.ExecuteReader() 

     While lrd.Read() 
      Dim sothing As String 

      sothing = lrd("Password").ToString 
      If lrd("Password").ToString = txtPassword.Text Then 
       lblTestData.Text = "passwordSuccess" 
      ElseIf lrd("Password").ToString <> txtPassword.Text Then 
       lblTestData.Text = "passwordFail...:(" 
      End If 
     End While 

    Catch ex As Exception 
     lblTestData.Text = "Error while retrieving records on table..." & ex.Message 
    Finally 
     con.Close() 
    End Try 

End Sub

來源

2012-11-18 14:08:11

+0

使用String.Format是一個等待發生的SQL注入漏洞。 SQL參數是正確的方法。 – Laurence

+0

好點勞倫斯。在string.format的情況下,建議您屏蔽傳遞給cmd.commandtext的字符串。我更新了代碼以使用參數。 –

0

關於您的數據庫系統有可能它不支持參數名稱。你有沒有嘗試過 ?您使用的Wat數據庫系統?

cmd.CommandText = " SELECT Password FROM Admin WHERE (UserName = ?)"

來源

2012-11-17 19:18:57

+0

OP已經發布了Dim con As New SqlConnection這個代碼,強烈建議他們使用MS SQL Server,它支持命名參數。 –

相關問題

 相關問題