1. 首頁
  2. 問答
  3. 全局模塊。 ADODB連接和SQL Server

全局模塊。 ADODB連接和SQL Server

2017-08-08 79 views
0

請幫助我。我在這裏呆了好幾個星期。我不知道如何解決它。全局模塊。 ADODB連接和SQL Server

這裏是我的連接代碼:

Imports System.Text.RegularExpressions 

Module globalmodule 
Public conn As New ADODB.Connection 
Public rs As New ADODB.Recordset 
Public rss As New ADODB.Recordset 
Public trs As New ADODB.Recordset 
Public sql As String 

Public Function opendb() 
    If conn.State = 1 Then conn.Close() 
    conn.Open("Provider=SQLOLEDB.1;Data Source=ACER;Initial Catalog=dbEmployee;Integrated Security=True;") 
    Return 0 
End Function 

Function EmailAddressCheck(ByVal emailAddress As String) As Boolean 

    Dim pattern As String = "^[a-zA-Z][\w\.-]*[a-zA-Z0-9]@[a-zA-Z0-9][\w\.-]*[a-zA-Z0-9]\.[a-zA-Z][a-zA-Z\.]*[a-zA-Z]$" 
    Dim emailAddressMatch As Match = Regex.Match(emailAddress, pattern) 

    If emailAddressMatch.Success Then 
     EmailAddressCheck = True 
    Else 
     EmailAddressCheck = False 
    End If 

    If EmailAddressCheck = False Then 
     MsgBox("Entervalid E-mail ID") 
    End If 

End Function 


Public empid As String 

End Module

表1這是關係到全球的模塊形式。

下面的代碼:

Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load 
    opendb() 

End Sub 

Private Sub btnlogin_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnlogin.Click 

    If cmbutype.Text = "Employee" Then 
     sql = "select * from employee where empcode='" & txtuname.Text & "' and password='" & txtupass.Text & "'" 

     If rs.State = 1 Then 
      rs.Close() 

     rs.Open(sql, conn) 

     If rs.EOF = False Then 
      MDIMain.MasterToolStripMenuItem.Visible = False 
      MDIMain.EmployeeToolStripMenuItem.Visible = False 
      MDIMain.SearchToolStripMenuItem.Visible = False 
      MDIMain.LeaveToolStripMenuItem.Visible = False 
      MDIMain.EarnToolStripMenuItem.Visible = False 
      MDIMain.DeductionToolStripMenuItem.Visible = False 
      MDIMain.events.Visible = False 

      empid = txtuname.Text 


      ' MsgBox("login sucess") 
      MDIMain.Show() 

      Me.Hide() 
     End If 
    Else 
     sql = "select * from login where utypt='" & cmbutype.Text & "' and uname='" & txtuname.Text & "'" 

     If rs.State = 1 Then 
      rs.Close() 

     rs.Open(sql, conn) 

     If rs.EOF = False Then 
      sql = "select * from login where utypt='" & cmbutype.Text & "' and uname='" & txtuname.Text & "' and upass='" & txtupass.Text & "'" 

      If rs.State = 1 Then 
       rs.Close() 

      rs.Open(sql, conn) 

      If rs.EOF = False Then 
       ' MsgBox("login sucess") 
       MDIMain.Show() 
       Me.Hide() 
      Else 
       MsgBox("Incorrect password ") 
      End If 
     Else 
      MsgBox("login failed") 

     End If 

    End If 
End Sub

我得到約adodb.connection錯誤是命名空間中的歧義「ADODB」和adodb.recordsets是命名空間中的曖昧「ADODB」

來源

2017-08-08 Newbee

+0

Gah。 sql注入安全漏洞,它燒傷我們! –

+0

此外,請打開Option Infer或Option Strict –

+0

如何打開? – Newbee

回答

1

我會從此功能開始:

Public Function opendb() 
    If conn.State = 1 Then conn.Close() 
    conn.Open("Provider=SQLOLEDB.1;Data Source=ACER;Initial Catalog=dbEmployee;Integrated Security=True;") 
    Return 0 
End Function

VB.Net不是VBScript/VB6。 VB.Net中的所有函數應具有返回類型。此外,Sql Server的最佳實踐是不要一遍又一遍地重複使用相同的連接對象。這打破了驅動程序進行有效連接池的能力。所以你希望功能看起來更像這樣:

'Using ADO.Net objects here because I'm more familiar, and the old ADO objects are really only for backwards compatibility with old code anyway 
Public Function opendb() As SqlConnection 
            'ADO.Net connection string may be slightly different 
    Dim result As New SqlConnection("Provider=SQLOLEDB.1;Data Source=ACER;Initial Catalog=dbEmployee;Integrated Security=True;") 
    result.Open() 
    Return result 
End Function

現在讓我們來看看登錄代碼。現在,我將留下一個巨大的安全問題,以純文本形式存儲密碼(不要這麼做!),而是專注於sql注入問題和基本連接。

Private Sub btnlogin_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnlogin.Click 
    Dim sql As String = "" 
    If cmbutype.Text = "Employee" Then 
     sql = "select * from employee where empcode= @Username AND password= @password" 
    Else 
     sql = "select * from login where utypt= @utype and uname= @username" 
    End If 

    Using cn As SqlConnection = opendb(), _ 
      cmd As New SqlCommand(sql, cn) 

     'Guessing at column types/lengths for all of these parameters 
     cmd.Parameters.Add("@username", SqlDbType.NVarChar, 50).Value = txtuname.Text 
     cmd.Parameters.Add("@password", SqlDbType.NVarChar, 64).Value = txtupass.Text  
     cmd.Parameters.Add("@utype", SqlDbType.VarChar, 15).Value = cmbutype.Text 

     cn.Open() 
     Dim rdr = cmd.ExecuteReader() 

     If Not rdr.Read() Then 
      MsgBox("Login Failed") 
      Exit Sub 
     End If 

     If cmbutype.Text <> "Employee" AndAlso rdr("upass").ToString() <> txtupass.Text Then 
      MsgBox("Password Incorrect") 
      Exit Sub 
     End If 
    End Using 

    ' MsgBox("login sucess") 

    If cmbutype.Text = "Employee" Then 
     MDIMain.MasterToolStripMenuItem.Visible = False 
     MDIMain.EmployeeToolStripMenuItem.Visible = False 
     MDIMain.SearchToolStripMenuItem.Visible = False 
     MDIMain.LeaveToolStripMenuItem.Visible = False 
     MDIMain.EarnToolStripMenuItem.Visible = False 
     MDIMain.DeductionToolStripMenuItem.Visible = False 
     MDIMain.events.Visible = False 

     empid = txtuname.Text 
    End If 

    MDIMain.Show() 
    Me.Hide()  
End Sub

說明我是能夠大大簡化代碼(嵌套少,並結合一些邏輯的),因爲ADO.Net可以讓你比SQL命令文本實際使用提供更多的查詢參數。舊的ADODB不能這樣做,因爲它只使用位置參數。

來源

2017-08-08 16:18:12

相關問題

 相關問題