1. 首頁
  2. 問答
  3. 與SQL查詢Vb.Net不正確的語法

與SQL查詢Vb.Net不正確的語法

2012-01-10 137 views
-1 
Command = New OleDbCommand("SELECT dbo.tbl_staff.staff_id, dbo.tbl_staff.username, dbo.tbl_staff.password, dbo.tbl_useraccount.position_id " & _ 
           "FROM dbo.tbl_position INNER JOIN " & _ 
           "dbo.tbl_useraccount ON dbo.tbl_position.position_id = dbo.tbl_useraccount.position_id INNER JOIN " & _ 
           "dbo.tbl_staff ON dbo.tbl_useraccount.useraccount_id = dbo.tbl_staff.staff_id " & _ 
           "WHERE (dbo.tbl_staff.username = '" & TextBox1.Text & "') AND (dbo.tbl_staff.password = '" & TextBox2.Text & "')", Connection)

它說,不正確的語法。與SQL查詢Vb.Net不正確的語法

來源

2012-01-10 Joshua Belarmino

+6

你的編碼方式是開放的SQL注入 – Pavan 2012-01-10 05:35:48

+4

「它說,不正確的語法」 - 奇怪的是,編譯器是很少錯誤....建議你向我們展示更多的實際代碼,以及導致錯誤的行。 – 2012-01-10 05:36:19

+0

請出示確切的錯誤代碼,和周圍的代碼行到包括剪斷 – 2012-01-10 06:23:03

回答

3

如何在VB.NET

  1. 創建SQL命令運行SQL Server查詢 - 你是不是設置的SqlCommand的連接屬性。你可以在不添加一行代碼的情況下做到這一點。 這是你錯誤的原因。

    myCommand = New SqlCommand("Insert Into MyTable values (@value1, @value2)", MyConnection)
    • 注:@值1,@值2 - 這些進入遊戲後。這些是SQL參數的佔位符。這些可以節省你的屁股。

  2. 插入參數值 - 你需要利用SQL參數,儘管你沒有使用存儲過程中的事實。 這不是你的錯誤的原因。

    CMD.Parameters.Add("@value1", SqlDbType.Int).Value = CInt(TXT_BookdID.Text) 
CMD.Parameters.Add("@value2", SqlDbType.varchar, 500).Value = TXT_BookName.Text

  3. 創建一個函數來執行SQL命令

    ''' <summary>Executes a SqlCommand on the Main DB Connection. Usage: Dim ds As DataSet = ExecuteCMD(CMD) </summary>' 
''' <param name="CMD">The command type will be determined based upon whether or not the commandText has a space in it. If it has a space, it is a Text command ("select ... from .."), ' 
''' otherwise if there's just one token, it's a stored procedure command</param>' 
Function ExecuteCMD(ByRef CMD As SqlCommand) As DataSet 
    Dim connectionString As String = ConfigurationManager.ConnectionStrings("main").ConnectionString 
    Dim ds As New DataSet() 

    Try 
     Dim connection As New SqlConnection(connectionString) 
     CMD.Connection = connection 

     'Assume that it's a stored procedure command type if there is no space in the command text. Example: "sp_Select_Customer" vs. "select * from Customers" 
     If CMD.CommandText.Contains(" ") Then 
      CMD.CommandType = CommandType.Text 
     Else 
      CMD.CommandType = CommandType.StoredProcedure 
     End If 

     Dim adapter As New SqlDataAdapter(CMD) 
     adapter.SelectCommand.CommandTimeout = 300 

     'fill the dataset' 
     adapter.Fill(ds) 
     connection.Close() 

    Catch ex As Exception 
     ' The connection failed. Display an error message.' 
     Throw New Exception("Database Error: " & ex.Message) 
    End Try 

    Return ds 
End Function

來源

2012-01-10 06:20:41

相關問題

 相關問題