在VB.NET中使用SQL语言记录搜索脚本

Question

我在SQL Server脚本上有一个小问题，如果我选择单选按钮名称将查找名字，但是如果我选择公司将根据公司名称进行查找，则此脚本可以工作。 该程序针对酒店以下代码

enter code here
#Region "GuestList"
Sub SearchRecord()
    If TextBox1.Text = "" Then
        MsgBox("Please Insert The Key", MsgBoxStyle.Information, "Searching Record")
        TextBox1.Focus()
        Exit Sub
    End If

    Try
        If rdoname.Checked = True Then
            dtadapter = New SqlDataAdapter("select firstname as [First Name],lastname as [Last Name], address as [Address], country as [Country], company as [Company], datein as [Date In], dateout as [Date Out], note as [Note] from tcekin Where fistname = '" & TextBox1.Text & "'", connection)
        Else
            dtadapter = New SqlDataAdapter("select firstname as [First Name],lastname as [Last Name], address as [Address], country as [Country], company as [Company], datein as [Date In], dateout as [Date Out], note as [Note] from tcekin Where company = '" & TextBox1.Text & "%'", connection)
        End If

        Dim tcekin As New DataTable
        tcekin.Clear()
        dtadapter.Fill(tcekin)
        If tcekin.Rows.Count = Nothing Then
            MsgBox("Data Not Found", MsgBoxStyle.Information, "Attention")
            TextBox1.Clear()
            TextBox1.Focus()
            Exit Sub
        End If

    Catch ex As SqlException
        MsgBox(ex.Message, MsgBoxStyle.Information, "Attention")
    End Try
End Sub 
#end region

在搜索按钮上，我叫SearchRecord，但是它不起作用。

Answer 1

是的，需要研究SQL注入。

tcekin.Rows.Count = Nothing

Count返回一个整数不是吗？ 因此，它不会等于零，如果没有记录返回，它将等于零。 您可能没有任何记录，也没有触发您的消息框等。