1. 首頁
  2. 問答
  3. 從列表框中獲取變量到sql字符串

從列表框中獲取變量到sql字符串

2014-04-21 56 views
0

我試圖通過一個變量(月亮)獲取列表框的內容和SQL字符串的問題 下面是代碼主體中的3個SELECT字符串。最後兩個字符串工作正常 ,但第一個不是。那是我嘗試將該變量放入代碼的那個 我已經嘗試了代碼上的一些變體,但似乎沒有任何工作。是否有人有任何建議。 的SQL字符串:從列表框中獲取變量到sql字符串

  da = New OleDbDataAdapter("SELECT * FROM books WHERE [author] = '" & moon  "' ", myConnection) 'fails 
      da = New OleDbDataAdapter("SELECT * FROM books", myConnection) 'works 
      da = New OleDbDataAdapter("SELECT * FROM books WHERE author = 'molly brown' ", myConnection) 'works{

主代碼BODY

Imports System.Data 
Imports System.Data.OleDb 
Imports System.Data.Odbc 
Imports System.Data.DataTable 

Public Class Form1 


    Dim provider As String 
    Dim dataFile As String 
    Dim connString As String 
    Dim myConnection As OleDbConnection = New OleDbConnection 
    Dim ds As DataSet = New DataSet 
    Dim da As OleDbDataAdapter 
    Dim tables As DataTableCollection = ds.Tables 
    Dim source1 As New BindingSource() 



    Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load 
     Dim moon As String 
     moon = ListBox1.Text 

     provider = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source =" 
     dataFile = "C:\Documents and Settings\james\Desktop\Authors.accdb" ' change to access database location on your computer 
     connString = provider & dataFile 
     myConnection.ConnectionString = connString 
     da = New OleDbDataAdapter("SELECT * FROM books WHERE [author] = '" & moon & "' ", myConnection) 'fails 
     'da = New OleDbDataAdapter("SELECT * FROM books", myConnection) 'works 
     'da = New OleDbDataAdapter("SELECT * FROM books WHERE author = 'molly brown' ", myConnection) 'works 

     da.Fill(ds, "books") 

     ' replace "items" with the name of the table 
     ' replace [Item Code], [Description], [Price] with the columns headers 

     Dim view1 As New DataView(tables(0)) 
     source1.DataSource = view1 
     DataGridView1.DataSource = view1 
     DataGridView1.Refresh() 

    End Sub 


End Class

來源

2014-04-21 user3480507

+1

請告訴我們什麼是不工作的時候你有一個錯誤信息?只是說_不工作並沒有幫助。 – Steve

+0

而不是在你的'OleDbAdapter'中連接你的字符串,創建一個sql變量並在那裏連接它。然後你可以看看你實際創建了什麼樣的sql,它可能會非常明顯。 – paqogomez

+2

你也有sql注入漏洞。 – paqogomez

回答

1

最好的做法是使用一個新的連接對象每次調用數據庫,可以定義具有最小範圍的對象,並使用參數化查詢而不是將值代入您的sql字符串中。

在任何情況下,您都不應該使用字符串操作將用戶選擇的值放入您的sql語句中!這樣的代碼是非常糟糕:

da = New OleDbDataAdapter("SELECT * FROM books WHERE [author] = '" & moon & "' ", myConnection)

想象在這個例子中會發生什麼,如果你有一個像作家「Patrick O'Neil」。有很多方法可能會進一步濫用這個問題,從而對數據庫,應用程序和用戶造成實際損害。只是不要爲此使用字符串連接。

像這樣做,而不是:

Public Class Form1 

    Private Const provider As String = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source =" 
    Private Const dataFile As String = "C:\Documents and Settings\james\Desktop\Authors.accdb" ' change to access database location on your computer 
    Private connString As String = provider & dataFile  

    Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load 
     Dim ds As New DataSet() 
     'Set a special placeholder for your value as part of a *constant* sql statement 
     Dim sql As String = "SELECT * FROM books WHERE [author] = ? " 

     Using cn As New OleDbConnection(connString), _ 
       cmd As New OleDbCommand(sql, cn), _ 
       da As New OleDbDataAdapter(cmd) 

      'Set the value for that placeholder via a query parameter 
      'Parameters work best when you set the actual type and length 
      ' to match your database. I had to guess at the length here. 
      cmd.Parameters.Add("?", OleDbType.NVarChar, 50).Value = Listbox1.Text 
      da.Fill(ds, "books") 
     End Using 

     DataGridView1.DataSource = ds.Tables("books") 
     DataGridView1.Refresh() 
    End Sub 

End Class

來源

2014-04-21 21:13:01

+0

嗨Joel 謝謝你的答覆。參數化查詢。嗯。沒有聽說過他們。我正在努力工作在你的代碼中的邏輯,但我很困惑(新手)你能指點我關於這個問題的任何好的教程/書籍。感謝約翰詹姆斯 – user3480507

+0

沒有我不會有谷歌。現在你知道要搜索什麼了,你可以像我一樣做到這一點。 –

相關問題

 相關問題