如何使用vb.net在sql服務器中搜索記錄

Question

抱歉，我是vb.net的新程序員，所以我需要一些幫助。 我不熟悉sql server，這是我插入員工信息時的代碼。 它工作正常，我的問題是如何僅使用emp_id搜索此記錄

    Dim mycommand As SqlCommand
    myconnection = New SqlConnection("server=;uid=admin;pwd=;database=payroll")
    myconnection.Open()
    mycommand = New SqlCommand("INSERT INTO employee_info([employee_id],
      [first_name],[last_name],[middle_name],[email],[telephone],
      [gender],[status],[date_birth],[hire_date],[street_add],[city],
      [state_province]) values ('" & Employee_idTextBox.Text & "','" &
      First_nameTextBox.Text & "','" & Last_nameTextBox.Text & "','" &
      Middle_nameTextBox.Text & "','" & EmailTextBox.Text & "','" &
      TelephoneTextBox.Text & "','" & GenderTextBox.Text & "','" & 
      StatusTextBox.Text & "','" & Date_birthDateTimePicker.Value.Date & 
      "','" & Hire_dateDateTimePicker.Value.Date & "','" & 
      Street_addTextBox.Text & "','" & CityTextBox.Text & "','" &
      State_provinceTextBox.Text & "')", myconnection)
    mycommand.ExecuteNonQuery()
    myconnection.Close()

Answer 1

就像其他人指出的那樣，您應該參數化INSERT以避免SQL Injection漏洞。

這是通過Employee_ID檢索新插入的Employee記錄的方法

Dim dbConn as SqlConnection
Dim myCommand As SqlCommand
dbConn = New SqlConnection("server=;uid=admin;pwd=;database=payroll")
dbConn.Open()
myCommand = New SqlCommand("SELECT * FROM employee_info WHERE  employee_id = @EmployeeId", dbConn)
myCommand.Parameters.AddWithValue("@ EmployeeId", employeeId) 
' employeeId in above line is the variable that contains the actual id you want to retrieve

myDataReader = myCommand.ExecuteReader()
' do stuff with the data in myDataReader here
' ...
' .....
myDataReader.Close()
dbConn.Close()