[英]VB.Net with mySql issue?
I am Searching and Block registration for duplicate ID from mysql Database using VB.Net 2010. I have got: you have an error in your sql syntax.... 我正在使用VB.Net 2010从mysql数据库搜索和阻止注册以获取重复ID。我得到:您的sql语法有错误。
Please can you to help me in this? 请你能帮我这个忙吗? What will be the mistake i made?
我会犯什么错误? What will be the correct way?
正确的方法是什么?
Imports System.IO
Imports MySql.Data.MySqlClient
Imports System.Data.SqlClient
Public Class Add_Clients
Private Sub CheckClient()
Dim myquery As String = ""
Dim mycmd As MySqlCommand
myquery = "select * from clients where client_id=" & clid.Text
mycmd = New MySqlCommand(myquery, con)
Dim idno As Integer = mycmd.ExecuteNonQuery()
If idno < 0 Then
MsgBox("The Client is already Exist!", MsgBoxStyle.Exclamation, "Car Rental System")
Return
End If
End Sub
Your query should be like this... 您的查询应该是这样的...
myquery = "SELECT * FROM clients WHERE client_id='" & clid.Text.Replace("'","''").Trim() & "'"
The additional .Replace("'","''").Trim()
should protect you from SQL injection. 附加的
.Replace("'","''").Trim()
应该可以防止SQL注入。 This should work for now... But you later have you use parametized queries to avoid SQL hacks :) So for now, practice SQL statements first. 这应该现在就可以使用。。。但是,稍后您可以使用参数化查询来避免SQL hack :)因此,现在,首先练习SQL语句。
You should use a parameterized query. 您应该使用参数化查询。 It simplifies the code while guarding against injection attacks.
它在防止注入攻击的同时简化了代码。
myquery = "select * from clients where client_id=@clid"
**mycmd = New MySqlCommand(myquery, con)**
mycmd.Parameters.AddWithValue("@clid", clid.Text);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.