stackoom
  简体   繁体   中英

vb.net sql parameterization

 原文  2014-08-19 14:59:24       sql/ vb.net/ vb.net-2010

Question

I really need help this time. I search everywhere, tried numerous solutions. but i can't seem to solve my problem. Now i'm going to ask, please help. I have been having this problem for a week now. 

ExecuteSQL("select * from account_database where idnum= @idnum and password= @pass")
'Dim idnum As New SqlParameter("@idnum", SqlDbType.VarChar)
'Dim pass As New SqlParameter("@pass", SqlDbType.VarChar, -1)
'idnum.Value = idnumtxt.Text
'pass.Value = output
'cmd.Parameters.Add(idnum)
'cmd.Parameters.Add(pass)
cmd.Parameters.Add("@idnum", SqlDbType.VarChar).Value = idnumtxt.Text
cmd.Parameters.Add("@pass", SqlDbType.VarChar, -1, "password").Value = output

those commented out lines are the codes which i have tried, also there are codes which i implemented that also failed.

The error message concludes as "Must declare scalar variable @idnum"

i really need help please. Please shine some light.

This is the code what the function executeSQL contains : 

 Public Shared Sub ExecuteSQL(ByVal strSQL As String)
    Try
        If connection.State = 1 Then ' check connection if open
            connection.Close()
        End If
        ' connection
        connection.ConnectionString = "Data Source=.\SQLEXPRESS;AttachDbFilename=C:\Users\Jr\documents\visual studio 2010\Projects\VotingSystem\VotingSystem\Resources\Database.mdf;Integrated Security=True;User Instance=True"
        connection.Open()
        Dim rowAffected As Integer = 0
        'cmd = New SqlCommand(strSQL, connection) 'buiding the sql command with the use of strSQL (sql statement) and connection (database connection)
        cmd = New SqlCommand(strSQL, connection)
        DARec = New SqlDataAdapter(strSQL, connection) 'buiding the adapter
        cb = New SqlCommandBuilder(DARec)
        rowAffected = cmd.ExecuteNonQuery() 'executing of sql statement
        successID = 1
        connection.Close()
    Catch ex As Exception
        successID = 0
        MsgBox(ex.Message)
    End Try
End Sub

Thanks and please help.

3 answers

solution1
 3 ACCPTED  2014-08-19 15:11:58

Problem is simply you're doing this in the wrong order. You're attempting to execute your SQL statement before defining the parameters. You don't need ExecuteSQL() until you've defined your parameters. It likely breaks on the following line in ExecuteSQL() 

' See how many rows the query will impact
' Since @idnum and @pass are not defined until the 
' ExecuteSQL() sub is finished, this line breaks.
rowAffected = cmd.ExecuteNonQuery()

You need to build your SqlCommand() to first include the select statement, and then use AddWithValue() on the parameters you've defined in the string. Defining the datatypes is also unnecessary because your database already knows, and form validation should handle input. 

' Define your connection
connection.ConnectionString = "Data Source=.\SQLEXPRESS;AttachDbFilename=C:\Users\Jr\documents\visual studio 2010\Projects\VotingSystem\VotingSystem\Resources\Database.mdf;Integrated Security=True;User Instance=True"

' Setup your SQL Command.
cmd = New SqlCommand("select * from account_database where idnum = @idnum and password = @pass", connection)

' Define the parameters you've created
cmd.Parameters.AddWithValue("@idnum", idnumtxt.Text)
cmd.Parameters.AddWithValue("@pass", output)

' Now execute your statement
connection.open()
cmd.ExecuteNonQuery()
connection.close()

And here is a better version of the above code, since you understand the order of events now. This ensures that in the event of exception the connection is closed. 

strConn = "Data Source=.\SQLEXPRESS;AttachDbFilename=C:\Users\Jr\documents\visual studio 2010\Projects\VotingSystem\VotingSystem\Resources\Database.mdf;Integrated Security=True;User Instance=True"
strSQL = "select * from account_database where idnum = @idnum and password = @pass"
Using connection As New SqlConnection(strConn), cmd As SqlCommand(strSQL, connection)
  cmd.Parameters.Add("@idnum", SqlDbType.VarChar).Value = idnumtxt.Text
  cmd.Parameters.Add("@pass", SqlDbType.VarChar, -1, "password").Value = output
  connection.Open()
  cmd.ExecuteNonQuery()
End Using

solution2
 0  2014-08-19 15:06:14

Try this: 

cmd.Parameters.AddWithValue("idnum", idnumtxt.Text)

Reference:

solution3
 0  2014-08-19 15:09:24

It should just be a case of the following to add an input param 

cmd.Parameters.Add("@idnum", idnumtxt.Text)

Except you'll need cmd.parameters.add() before the executesql as you're currently defining your params after executesql has ran.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SQL Databases in vb.net VB.net SQL Checking Is % used in vb.net/sql? VB.Net SQL issues VB.net and SQL Question VB.Net and SQL Communication VB.net SQL Syntax vb.net and sql query flagging vb.net with sql vb.net Listboxes and sql
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM