堆栈内存溢出
  简体   繁体   English

vb.net sql参数化

[英]vb.net sql parameterization

 原文  2014-08-19 14:59:24       sql/ vb.net/ vb.net-2010

问题描述

I really need help this time. 这次我真的需要帮助。 I search everywhere, tried numerous solutions. 我到处搜索,尝试了许多解决方案。 but i can't seem to solve my problem. 但我似乎无法解决我的问题。 Now i'm going to ask, please help. 现在我要问,请帮助。 I have been having this problem for a week now. 我已经有一个星期了这个问题。 

ExecuteSQL("select * from account_database where idnum= @idnum and password= @pass")
'Dim idnum As New SqlParameter("@idnum", SqlDbType.VarChar)
'Dim pass As New SqlParameter("@pass", SqlDbType.VarChar, -1)
'idnum.Value = idnumtxt.Text
'pass.Value = output
'cmd.Parameters.Add(idnum)
'cmd.Parameters.Add(pass)
cmd.Parameters.Add("@idnum", SqlDbType.VarChar).Value = idnumtxt.Text
cmd.Parameters.Add("@pass", SqlDbType.VarChar, -1, "password").Value = output

those commented out lines are the codes which i have tried, also there are codes which i implemented that also failed. 那些注释掉的行是我尝试过的代码,也有我实施的代码也失败了。

The error message concludes as "Must declare scalar variable @idnum" 错误消息的结论为"Must declare scalar variable @idnum"

i really need help please. 我真的需要帮助。 Please shine some light. 请发光一些。

This is the code what the function executeSQL contains : 这是executeSQL函数包含的代码: 

 Public Shared Sub ExecuteSQL(ByVal strSQL As String)
    Try
        If connection.State = 1 Then ' check connection if open
            connection.Close()
        End If
        ' connection
        connection.ConnectionString = "Data Source=.\SQLEXPRESS;AttachDbFilename=C:\Users\Jr\documents\visual studio 2010\Projects\VotingSystem\VotingSystem\Resources\Database.mdf;Integrated Security=True;User Instance=True"
        connection.Open()
        Dim rowAffected As Integer = 0
        'cmd = New SqlCommand(strSQL, connection) 'buiding the sql command with the use of strSQL (sql statement) and connection (database connection)
        cmd = New SqlCommand(strSQL, connection)
        DARec = New SqlDataAdapter(strSQL, connection) 'buiding the adapter
        cb = New SqlCommandBuilder(DARec)
        rowAffected = cmd.ExecuteNonQuery() 'executing of sql statement
        successID = 1
        connection.Close()
    Catch ex As Exception
        successID = 0
        MsgBox(ex.Message)
    End Try
End Sub

Thanks and please help. 谢谢,请帮助。

3 个解决方案

解决方案1
 3 已采纳  2014-08-19 15:11:58

Problem is simply you're doing this in the wrong order. 问题只是您以错误的顺序执行此操作。 You're attempting to execute your SQL statement before defining the parameters. 您正在尝试在定义参数之前执行SQL语句。 You don't need ExecuteSQL() until you've defined your parameters. 在定义参数之前,不需要ExecuteSQL()。 It likely breaks on the following line in ExecuteSQL() 它可能在ExecuteSQL()的以下行上中断 

' See how many rows the query will impact
' Since @idnum and @pass are not defined until the 
' ExecuteSQL() sub is finished, this line breaks.
rowAffected = cmd.ExecuteNonQuery()

You need to build your SqlCommand() to first include the select statement, and then use AddWithValue() on the parameters you've defined in the string. 您需要构建SqlCommand()来首先包含select语句,然后对字符串中定义的参数使用AddWithValue()。 Defining the datatypes is also unnecessary because your database already knows, and form validation should handle input. 定义数据类型也是不必要的,因为您的数据库已经知道了,并且表单验证应该处理输入。 

' Define your connection
connection.ConnectionString = "Data Source=.\SQLEXPRESS;AttachDbFilename=C:\Users\Jr\documents\visual studio 2010\Projects\VotingSystem\VotingSystem\Resources\Database.mdf;Integrated Security=True;User Instance=True"

' Setup your SQL Command.
cmd = New SqlCommand("select * from account_database where idnum = @idnum and password = @pass", connection)

' Define the parameters you've created
cmd.Parameters.AddWithValue("@idnum", idnumtxt.Text)
cmd.Parameters.AddWithValue("@pass", output)

' Now execute your statement
connection.open()
cmd.ExecuteNonQuery()
connection.close()

And here is a better version of the above code, since you understand the order of events now. 这是上述代码的更好版本,因为您现在已经了解了事件的顺序。 This ensures that in the event of exception the connection is closed. 这样可以确保在发生异常情况下关闭连接。 

strConn = "Data Source=.\SQLEXPRESS;AttachDbFilename=C:\Users\Jr\documents\visual studio 2010\Projects\VotingSystem\VotingSystem\Resources\Database.mdf;Integrated Security=True;User Instance=True"
strSQL = "select * from account_database where idnum = @idnum and password = @pass"
Using connection As New SqlConnection(strConn), cmd As SqlCommand(strSQL, connection)
  cmd.Parameters.Add("@idnum", SqlDbType.VarChar).Value = idnumtxt.Text
  cmd.Parameters.Add("@pass", SqlDbType.VarChar, -1, "password").Value = output
  connection.Open()
  cmd.ExecuteNonQuery()
End Using

解决方案2
 0  2014-08-19 15:06:14

Try this: 尝试这个: 

cmd.Parameters.AddWithValue("idnum", idnumtxt.Text)

Reference: 参考:

解决方案3
 0  2014-08-19 15:09:24

It should just be a case of the following to add an input param 添加输入参数只是以下情况 

cmd.Parameters.Add("@idnum", idnumtxt.Text)

Except you'll need cmd.parameters.add() before the executesql as you're currently defining your params after executesql has ran. 除非你需要cmd.parameters.add()在之前executesql因为你目前定义您的PARAMS后executesql已经跑了。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 vb.net中的SQL数据库 - SQL Databases in vb.net VB.net SQL检查 - VB.net SQL Checking % 在 vb.net/sql 中使用吗? - Is % used in vb.net/sql? VB.Net SQL 问题 - VB.Net SQL issues VB.net和SQL问题 - VB.net and SQL Question VB.Net与SQL通讯 - VB.Net and SQL Communication VB.net SQL语法 - VB.net SQL Syntax vb.net和sql查询 - vb.net and sql query 用SQL标记vb.net - flagging vb.net with sql vb.net列表框和sql - vb.net Listboxes and sql
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM