將數據插入到SQL Visual Studio中

Question

我一直在嘗試在Visual Studio中創建註冊表單，但它似乎不起作用。這個想法是，當您按下Button1時，Textbox1和Textbox2中的值將存儲在數據庫中。

Public Class SignUp 
Dim mysqlConn As Data.SqlClient.SqlConnection 
Dim command As Data.SqlClient.SqlCommand 
Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click 
    mysqlConn = New Data.SqlClient.SqlConnection 
    mysqlConn.ConnectionString = ("Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=|DataDirectory|\NewFolder1\Members.mdf;Integrated Security=True") 
    Dim reader As Data.SqlClient.SqlDataReader 
    Try 
     mysqlConn.Open() 
     Dim query As String 
     query = "Insert into [User] ('username', 'password') VALUES (" & TextBox1.Text & " AND " & TextBox2.Text & ")" 'virker ikke 
     command = New SqlClient.SqlCommand(query, mysqlConn) 
     reader = command.ExecuteReader 
     mysqlConn.Close() 

     MessageBox.Show("Data Saved") 
    Catch ex As Exception 
     MessageBox.Show(ex.Message) 
    Finally 
     mysqlConn.Dispose() 

    End Try 

它給了我一個錯誤，說列錯了。

Answer 1

這應該讓你的代碼工作。這不是良好的編程習慣可言，但它是你所要求的：

Public Class Form1 
    Dim mysqlConn As Data.SqlClient.SqlConnection 
    Dim command As Data.SqlClient.SqlCommand 


    Private Sub Button1_Click(ByVal sender As Object, ByVal e As EventArgs) Handles Button1.Click 
     mysqlConn = New Data.SqlClient.SqlConnection 
     mysqlConn.ConnectionString = ("Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=|DataDirectory|\NewFolder1\Members.mdf;Integrated Security=True") 
     Dim RowsAffected As Integer 
     Try 
      mysqlConn.Open() 
      Dim query As String = "INSERT INTO [User] (username, password) VALUES (@Username, @Password)" 
      command = New SqlClient.SqlCommand(query, mysqlConn) 
         Dim paramUsername As New SqlClient.SqlParameter() With {.ParameterName = "@Username", .Value = TextBox1.Text, .Size = 50, .SqlDbType = SqlDbType.VarChar} 
         Dim paramPassword As New SqlClient.SqlParameter() With {.ParameterName = "@Password", .Value = TextBox2.Text, .Size = 50, .SqlDbType = SqlDbType.VarChar} 

      command.Parameters.Add(paramUsername) 
      command.Parameters.Add(paramPassword) 
      RowsAffected = command.ExecuteNonQuery 
      mysqlConn.Close() 
      If RowsAffected > 0 Then MessageBox.Show("Data Saved") 
     Catch ex As Exception 
      MessageBox.Show(ex.Message) 
     Finally 
      mysqlConn.Dispose() 
     End Try 
    End Sub 
End Class 

這個版本使用SQL參數，這應該防止SQL注入和類似O'Brian值。

正如其他人所說（我們昨天也告訴過你），以純文本存儲密碼確實是一個壞主意。我知道，你並沒有要求這樣的建議，但是如果你使用這個代碼來進行面向公衆的任務，你需要對你的密碼進行哈希處理並存儲散列字符串。

-E

Answer 2

您的代碼應該是這個樣子：

Option Infer On 
Option Strict On 

Imports System.Data.SqlClient 

Public Class Signup 

    Private Sub bnSignup_Click(sender As Object, e As EventArgs) Handles bnSignup.Click 
     Dim connStr = "Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=|DataDirectory|\NewFolder1\Members.mdf;Integrated Security=True" 
     Dim query = "INSERT INTO [User] ([username], [password]) VALUES (@username, @password)" 

     'TODO: Hash the password to save it in the database. 

     Try 
      Using sqlConn As New SqlConnection(connStr) 
       Using command As New Sqlcommand(query, sqlConn) 
        command.Parameters.Add(New SqlParameter With {.ParameterName = "@username", .SqlDbType = SqlDbType.NVarChar, .Value = tbUsername.Text}) 
        command.Parameters.Add(New SqlParameter With {.ParameterName = "@password", .SqlDbType = SqlDbType.NVarChar, .Value = tbPassword.Text}) 

        sqlConn.Open() 
        command.ExecuteNonQuery() 
        sqlConn.Close() 

       End Using 
      End Using 

      MessageBox.Show("Data Saved") 

     Catch ex As Exception 
      MessageBox.Show(ex.Message) 
     End Try 

    End Sub 

    ' Other code... 

End Class 

的Using結構需要你非託管資源的處置照顧，即使發生異常。

使用SqlParameters有助於防止SQL注入攻擊，並允許像撇號這樣的字符傳遞給SQL Server而不會有任何問題。

這是一個好主意，讓你的控件有意義的名字。

有關如何安全地存儲密碼的信息，我建議讀一讀Salted Password Hashing - Doing it Right。