如何使用搜索按钮填充form2? [英] How to populate form2 using search button ?
问题描述
好吧,我正在努力为我的大学最后一年做一个项目。一点帮助将不胜感激。
我正在尝试搜索SEARCH_FROM的结果,该结果包含TextBox1.Text和Button1.Click。点击具有有效ID(faculty_table)的按钮后,它将从数据库中检索数据并在数据与数据库值匹配时填充到第二个form2(fac_mod),否则将显示未找到数据。
我该怎么做。
它显示一些错误,例如因为没有数据存在而无效尝试。并且还显示找到了记录但没有输出。
每个宝贵时间都可以使用。
和抱歉BAD english。
我尝试了什么:
connection =新的SqlConnection(SERVER = IP,PORT; USER ID = ID; PASSWORD = PASSWORD; DATABASE = myDATABASE)
Dim reader As SqlDataReader
如果TextBox1.Text =那么
MsgBox(无效输入)
否则
尝试
Dim query As String =SELECT * from faculty WHERE id ='& TextBox1.Text& '
connection.Open()
command = New SqlCommand(查询,连接)
reader = command.ExecuteReader
MsgBox(找到记录)
fac_mod.TextBox1.Text = reader.GetString(0)
fac_mod.ComboBox5.Text = reader.GetString (1)
fac_mod.ComboBox4.Text = reader.GetString(2)
fac_mod.ComboBox1.Text = reader.GetString(3)
fac_mod.TextBox2.Text = reader.GetString(4)
fac_mod.DateTimePicker1.Text = reader.GetString(5)
fac_mod.ComboBox2.Text = reader.GetString(6)
fac_mod.TextBox3.Text = reader.GetString(7)
fac_mod.TextBox4.Text = reader.GetString(8)
fac_mod.TextBox14.Text = reader.GetString(9)
f ac_mod.TextBox5.Text = reader.GetString(10)
fac_mod.PictureBox1.image = reader.GetImage(11)
fac_mod.Show()
Me.Close()
connection.Close()
Catch ex As Exception
MsgBox(ex.Message) ,MessageBoxButtons.OK)
结束尝试
结束如果
结束Sub
< blockquote>在您开始查找已发现的问题之前,您需要通过整个应用程序修复该代码的问题:
1)永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。改为使用参数化查询。
连接字符串时会导致问题,因为SQL会收到如下命令:
SELECT * FROM MyTable WHERE StreetAddress = ' Baker' s Wood ' 就SQL而言,用户添加的引号会终止字符串,并且您会遇到问题。但情况可能更糟。如果我来并改为输入:x'; DROP TABLE MyTable; - 然后SQL收到一个非常不同的命令:
SELECT * FROM MyTable WHERE StreetAddress = ' x'; DROP 表 MyTable; - ' 哪个SQL看作三个单独的命令:
SELECT * FROM MyTable WHERE StreetAddress = ' x'; 完全有效的SELECT
DROP TABLE MyTable; 完全有效的删除表格通讯和
- ' 其他一切都是评论。
所以它确实:选择任何匹配的行,从数据库中删除表,并忽略其他任何内容。
所以总是使用参数化查询!或者准备好经常从备份中恢复数据库。你定期进行备份,不是吗?
2)不要硬编码连接字符串:它们应该存储在配置文件中,但是 const 在整个应用程序中使用的值几乎不能容忍,只要您意识到您的应用必须针对每个新用户/安装进行更改。
然后你可以开始查看你的问题非常简单:SqlDataReader不会自动返回一行:你必须检查是否有行,并调用Read方法依次加载每一行。
但是先修复其他问题:或者你的数据库会被损坏或删除 - 你最好的伙伴会试着看看你脸上的样子......
首先检查如果reader.HasRows = true。类似
if (reader.HasRows)
{
reader.Read ()' 这读取第一条记录
' 然后你可以做reader.GetString()等。
}
您还需要更改为使用参数。
类似
Dim 查询作为 字符串 = SELECT * from faculty WHERE id = @ facultyID ' 这样你的数据库就不会被黑了
...
command.Parameters.AddWithValue( @ faultyID,TextBox1.Text)' < span class =code-comment>这是添加参数的安全方式
此外,您应该将TextBox1.Text更改为类似于txtFaculty的内容,这样在您阅读代码时它就意味着什么。
Well I'm trying to make a project for my college final year. A little help will be grateful.
I'm trying to search result from a SEARCH_FROM which consist of a TextBox1.Text and Button1.Click. After hitting the button with valid id(faculty_table) it will retrieve data as output from database and populate into a second form2(fac_mod) as soon as data match the database values else it will show that "Data Not Found".
How can I do that.
It showing some errors like, "Invalid attempt since no data present." and also showing that "record is found" but no output.
Ty for everyones precious time.
and Sorry for BAD english.
What I have tried:
connection = New SqlConnection("SERVER=IP,PORT;USER ID=ID;PASSWORD=PASSWORD;DATABASE=myDATABASE")
Dim reader As SqlDataReader
If TextBox1.Text = "" Then
MsgBox("Invalid input")
Else
Try
Dim query As String = "SELECT * from faculty WHERE id='" & TextBox1.Text & "'"
connection.Open()
command = New SqlCommand(query, connection)
reader = command.ExecuteReader
MsgBox("Record Found")
fac_mod.TextBox1.Text = reader.GetString("0")
fac_mod.ComboBox5.Text = reader.GetString("1")
fac_mod.ComboBox4.Text = reader.GetString("2")
fac_mod.ComboBox1.Text = reader.GetString("3")
fac_mod.TextBox2.Text = reader.GetString("4")
fac_mod.DateTimePicker1.Text = reader.GetString("5")
fac_mod.ComboBox2.Text = reader.GetString("6")
fac_mod.TextBox3.Text = reader.GetString("7")
fac_mod.TextBox4.Text = reader.GetString("8")
fac_mod.TextBox14.Text = reader.GetString("9")
fac_mod.TextBox5.Text = reader.GetString("10")
fac_mod.PictureBox1.image = reader.GetImage("11")
fac_mod.Show()
Me.Close()
connection.Close()
Catch ex As Exception
MsgBox(ex.Message, MessageBoxButtons.OK)
End Try
End If
End Sub
There are problems with that code that you need to fix through your whole app before you start even looking for the problem you have spotted:
1) Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
When you concatenate strings, you cause problems because SQL receives commands like:
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';A perfectly valid SELECT
DROP TABLE MyTable;A perfectly valid "delete the table" command
--'And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.
So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
2) Don't hard code connections strings: they should be stored in a config file, but aconstvalue used throughout your app is barely tolerable, provided you realize your app must change for each new user / installation.
Then you can start looking at your problem which is pretty simple: an SqlDataReader doesn't automatically return a row: you have to check if there are any rows, and call the Read method to load each row in turn.
But fix the other problems first: or your DB will get damaged or deleted - your best mate will try it just to see the look on your face...
First check if reader.HasRows = true. Something like
if (reader.HasRows) { reader.Read() ' this reads in the first record ' then you can do reader.GetString() etc. }
You'll also want to change to using parameters.
Something like
Dim query As String = "SELECT * from faculty WHERE id=@facultyID" ' this way your database cannot be hacked ... command.Parameters.AddWithValue("@faultyID", TextBox1.Text) ' this is the safe way to add your parameters
Also, you should change TextBox1.Text to something like txtFaculty so that it means something when you are reading your code.
这篇关于如何使用搜索按钮填充form2?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
