我接手一個VB項目,並用我有限的VB技能我不能讓下面的參數化查詢返回的結果:爲什麼這個參數化的sql查詢不返回結果?
Dim strSQLUser As String = "Select Name, CompanyID from Users where UserName = @UserName"
dbCommand = New SqlCommand(strSQLUser, dbConn)
dbCommand.Parameters.AddWithValue("@UserName", User)
dr = dbCommand.ExecuteReader
然而,這是不工作的原代碼:
Dim strSQLUser As String = "Select Name, CompanyID from Users where UserName ='" & User & "'"
dbCommand = New SqlCommand(strSQLUser, dbConn)
dr = dbCommand.ExecuteReader
正如您所看到的,原始代碼容易受到sql注入攻擊,需要修復。
額外 - 這裏是不讀行:
While dr.Read
DbUser = dr.GetValue(0).ToString
DbCompany = dr.GetValue(1).ToString
End While
我想這個變量User是一個字符串吧? – Steve