[英]Show SQL Column Item in VB.NET TextBox
I want a specific value of an SQL Database column to appear in a textbox, but there is an error with my code which appears to be at this line: 我希望SQL Database列的特定值出现在文本框中,但是我的代码出现错误,似乎在此行:
Dim lrd As MySqlDataReader = cmd.ExecuteReader() 昏暗的lrd作为MySqlDataReader = cmd.ExecuteReader()
Imports MySql.Data.MySqlClient
Public Class Main 公共班级主要
Dim conn As MySqlConnection
Private Sub Main_Load(sender As Object, e As EventArgs) Handles Me.Load
conn = New MySqlConnection()
conn.ConnectionString = "server='127.0.0.1';user id='root';Password='test';database='snipper'"
Try
conn.Open()
Catch myerror As MySqlException
MsgBox("Error Connecting to Database. Please Try again !")
End Try
Dim strSQL As String = "SELECT * FROM snippets"
Dim da As New MySqlDataAdapter(strSQL, conn)
Dim ds As New DataSet
da.Fill(ds, "snippets")
With ComboBox1
.DataSource = ds.Tables("snippets")
.DisplayMember = "title"
.SelectedIndex = 0
End With
Dim cmd = New MySqlCommand("SELECT snippet FROM snippets where title=" & cbSnippets.Text)
cmd.Connection = conn
Dim lrd As MySqlDataReader = cmd.ExecuteReader()
While lrd.Read()
txtCode.Text = lrd("snippet").ToString()
End While
End Sub
What may be wrong? 有什么问题吗?
PLEASE USE PARAMETERISED QUERIES 请使用参数化查询
Your actual problem originates from this line: 您的实际问题源自此行:
Dim cmd = New MySqlCommand("SELECT snippet FROM snippets where title=" & cbSnippets.Text)
Supposing I enter "This is a test"
into the text box, the SQL becomes 假设我在文本框中输入
"This is a test"
,则SQL变为
SELECT snippet
FROM snippets
WHERE title=This is a test
With no quotes around the text, it should be: 文字周围没有引号,应该是:
SELECT snippet
FROM snippets
WHERE title='This is a test'
However, if I were to write "''; DROP TABLE Snippets; -- "
In your text box you may find yourself without a snippets table!. 但是,如果我要编写
"''; DROP TABLE Snippets; -- "
在您的文本框中,您可能会发现自己没有片段表!
You should always use parameterised queries, this is safer and more efficient (it means query plans can be cached and reused so don't need to be compiled each time); 您应该始终使用参数化查询,这更安全,更有效(这意味着查询计划可以缓存和重用,因此无需每次都进行编译);
Dim cmd = New MySqlCommand("SELECT snippet FROM snippets where title = @Title")
cmd.Parameters.AddWithValue("@Title", cbSnippets.Text)
Dim lrd As MySqlDataReader = cmd.ExecuteReader()
Try changing this line : 尝试更改此行:
Dim cmd = New MySqlCommand("SELECT snippet FROM snippets where title=" & cbSnippets.Text)
to : 至 :
Dim cmd = New MySqlCommand("SELECT snippet FROM snippets where title='" & cbSnippets.Text & "'")
Note the quotes around the string you'l be searching for. 请注意您要搜索的字符串周围的引号。 You could aswell use the
like
comparison too : 您也可以使用
like
比较:
Dim cmd = New MySqlCommand("SELECT snippet FROM snippets where title like '%" & cbSnippets.Text & "%'")
The %
symbol acts as a wildcard. %
符号用作通配符。 In this case, that would look for any string containing the searched text instead of string being exactly the same as the searched text. 在这种情况下,它将查找包含搜索文本的任何字符串,而不是与搜索文本完全相同的字符串。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.