使用VB 2005在sql语句中传递参数... [英] Pass a parameter in sql statement with VB 2005...
本文介绍了使用VB 2005在sql语句中传递参数...的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
有人可以告诉我一个在vb 2005中将字符串值传递给sql
语句的示例吗?这样的事情就是我所追求的:
Dim sqlButton1 As String =" select * from tblAssets,其中Asset_Tag =
Me.cboAsset.Text"
谢谢,
比尔
解决方案
我相信这是你在寻找什么(做了一些谷歌搜索) -
看看这个链接:
http://www.java2s.com/Code/VB/Databa...SQLcommand.htm < br $> b $ b并查看以下行:
cmd.Parameters.Add(New SqlParameter(" @ fn",SqlDbType.VarChar,10))。值=
Joe
记下上面一行中的@fn:
Dim cmd As新的SqlCommand(" SELECT FirstName,LastName FROM Employee WHERE
FirstName = @ fn",con)
你不想做的事
Se来自员工的lect *,其中FirstName =" + Text1.Text
您可能正在使用组合框。如果您的组合框是由您生成的,那么
你没问题。但是如果用户在组合框中生成数据 - 那么
要小心....
因为SQL注入。
浏览本文:
http:// www.sitepoint.com/article/sql...n-attacks-safe (在第2页你
将看到基本原因)
或者本文的中间部分:
http: //blog.colinmackay.net/archive/2007/06/24/77.aspx
基本上有人可以在你的sql中执行sql并更改你的数据/ br />
绕过您的安全/删除您的数据。
希望这会有所帮助。
Miro
" bill" < bi ** @ bottlegarden.com写信息
新闻:ua ************** @ TK2MSFTNGP02.phx.gbl ...
< blockquote class =post_quotes>
有人可以告诉我一个在vb 2005中将字符串值传递给
sql语句的示例吗?这样的事情就是我所追求的:
Dim sqlButton1 As String =" select * from tblAssets,其中Asset_Tag =
Me.cboAsset.Text"
谢谢,
比尔
谢谢期待你的答复。你可以向我解释一下这是什么因为它是什么?b $ b并不是一个指定的变量名称?我之前没见过这个
。 @ fn
谢谢!
Bill
" Miro" < mi ** @ beero.comwrote in message
news:ei ************** @ TK2MSFTNGP05.phx.gbl ...
< blockquote class =post_quotes>
>我相信这就是你要找的东西(做了一些谷歌搜索) -
看一下这个链接:
http://www.java2s.com /Code/VB/Databa...SQLcommand.htm
并查看说明的行:
cmd.Parameters.Add(新的SqlParameter(@ fn,SqlDbType.VarChar,10))。值=
Joe
注意@fn在上面的行中:
Dim cmd As New SqlCommand(" SELECT FirstName,LastName FROM Employee WHERE
FirstName = @ fn",con)
你不想做什么
"从员工中选择*,其中FirstName =" + Text1.Text
您可能正在使用组合框。如果您的组合框由您生成,
那么你没问题。但是如果用户在组合
框中生成数据 - 那么要小心....
因为SQL注入。
浏览本文:
http:// www.sitepoint.com/article/sql...n-attacks-safe (第2页
你会看到基本原因)
或者本文的中间部分:
http: //blog.colinmackay.net/archive/2007/06/24/77.aspx
基本上有人可以在你的sql中执行sql并更改你的数据/ br />
绕过您的安全/删除您的数据。
希望这会有所帮助。
Miro
" bill" < bi ** @ bottlegarden.com写信息
新闻:ua ************** @ TK2MSFTNGP02.phx.gbl ...
< blockquote class =post_quotes>
>有人可以告诉我一个在vb 2005中将字符串值传递给
sql语句的示例吗?这样的事情就是我所追求的:
Dim sqlButton1 As String =" select * from tblAssets,其中Asset_Tag =
Me.cboAsset.Text"
谢谢,
比尔
这是你自己的变量/参数持有者(如只要它以
@)符号开头。
你可以命名它@bill
如果你有多个参数那么它们在
语句中都必须是唯一的。
示例:从@bla中选择*其中@bill = @miro
因此我希望我通过cmd.Parameters.Add添加3个参数
一个用于@bla,一个用于@bill,一个用于@miro
Miro
" bill" < bi ** @ bottlegarden.com写信息
新闻:我们************** @ TK2MSFTNGP02.phx.gbl ...
< blockquote class =post_quotes>
感谢您的回复。你可以向我解释一下这是什么因为它是什么?b $ b并不是一个指定的变量名称?我之前没见过这个
。 @ fn
谢谢!
Bill
" Miro" < mi ** @ beero.comwrote in message
news:ei ************** @ TK2MSFTNGP05.phx.gbl ...
< blockquote class =post_quotes>
>>我相信这是你正在寻找的(做了一些谷歌搜索) -
看看这个链接:
< a rel =nofollowhref =http://www.java2s.com/Code/VB/Database-ADO.net/PassParameterintoSQLcommand.htmtarget =_ blank> http://www.java2s.com/Code /VB/Databa...SQLcommand.htm
并查看以下行:
cmd.Parameters.Add(New SqlParameter(" @ fn",SqlDbType) .VarChar,10))。值
=" Joe"
注意上面一行中的@fn:
Dim cmd As New SqlCommand(" SELECT FirstName,LastName FROM Employee WHERE
FirstName = @ fn",con)
你不想做
从员工中选择*,其中FirstName = " + Text1.Text
您可能正在使用组合框。如果你的组合框是由你生成的,那么你没问题。但是如果用户在组合框中生成数据 - 那么要小心....
因为SQL注入。
浏览本文:
http://www.sitepoint.com/article/sql ... n-attack-safe (在第2页
你会看到基本原因)
或在本文中间:
http://blog.colinmackay.net/archive/2007/06/24/77.aspx
基本上有人可以在你的sql中执行sql并更改你的数据/
绕过你的安全/删除你的数据。
希望这会有所帮助。 />
Miro
" bill" < bi ** @ bottlegarden.com写信息
新闻:ua ************** @ TK2MSFTNGP02.phx.gbl ...
>>有人可以告诉我一个在vb 2005中将字符串值传递给
sql语句的示例吗?这样的事情就是我所追求的:
Dim sqlButton1 As String =" select * from tblAssets,其中Asset_Tag =
Me.cboAsset.Text"
谢谢,
比尔
Can someone please show me an example of passing a string value into an sql
statement in vb 2005? Something like this is what I''m after:
Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag =
Me.cboAsset.Text"
Thank you,
Bill
解决方案
I beleive this is what you are looking for (did some googling)-
Take a look at this link:
http://www.java2s.com/Code/VB/Databa...SQLcommand.htm
and look at the line that says:
cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value =
"Joe"
take note of the @fn which is in the line above:
Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee WHERE
FirstName = @fn", con)
you DO NOT want to do
"Select * from Employee where FirstName = " + Text1.Text
You might be using a Combo Box. If your combo box is generated by you, then
you are ok. But if the user generates the data within the combo box - then
be careful....
because of SQL injections.
Skim this article:
http://www.sitepoint.com/article/sql...n-attacks-safe ( at page 2 you
will see the basic reason )
or by the middle of this article:
http://blog.colinmackay.net/archive/2007/06/24/77.aspx
basically someone can execute sql within your sql and change your data /
bypass your security / delete your data.
Hope this helps.
Miro
"bill" <bi**@bottlegarden.comwrote in message
news:ua**************@TK2MSFTNGP02.phx.gbl...Can someone please show me an example of passing a string value into an
sql statement in vb 2005? Something like this is what I''m after:
Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag =
Me.cboAsset.Text"
Thank you,
Bill
Thank you for your reply. Can you explain to me what this is since it
doesn''t apprear to be an assigned variable name? I haven''t seen this
before. "@fn"
Thank you!
Bill
"Miro" <mi**@beero.comwrote in message
news:ei**************@TK2MSFTNGP05.phx.gbl...>I beleive this is what you are looking for (did some googling)-
Take a look at this link:
http://www.java2s.com/Code/VB/Databa...SQLcommand.htm
and look at the line that says:
cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value =
"Joe"
take note of the @fn which is in the line above:
Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee WHERE
FirstName = @fn", con)
you DO NOT want to do
"Select * from Employee where FirstName = " + Text1.Text
You might be using a Combo Box. If your combo box is generated by you,
then you are ok. But if the user generates the data within the combo
box - then be careful....
because of SQL injections.
Skim this article:
http://www.sitepoint.com/article/sql...n-attacks-safe ( at page 2
you will see the basic reason )
or by the middle of this article:
http://blog.colinmackay.net/archive/2007/06/24/77.aspx
basically someone can execute sql within your sql and change your data /
bypass your security / delete your data.
Hope this helps.
Miro
"bill" <bi**@bottlegarden.comwrote in message
news:ua**************@TK2MSFTNGP02.phx.gbl...>Can someone please show me an example of passing a string value into an
sql statement in vb 2005? Something like this is what I''m after:
Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag =
Me.cboAsset.Text"
Thank you,
Bill
It is your own variable / parameter holder ( as long as it starts with the
@ ) symbol.
You can name it @bill
If you have multiple parameters then they all must be unique in the
statement.
example: Select * from @bla where @bill = @miro
therefore It would expect me to add 3 parameters via the cmd.Parameters.Add
one for @bla, one for @bill and one for @miro
Miro
"bill" <bi**@bottlegarden.comwrote in message
news:us**************@TK2MSFTNGP02.phx.gbl...Thank you for your reply. Can you explain to me what this is since it
doesn''t apprear to be an assigned variable name? I haven''t seen this
before. "@fn"
Thank you!
Bill
"Miro" <mi**@beero.comwrote in message
news:ei**************@TK2MSFTNGP05.phx.gbl...>>I beleive this is what you are looking for (did some googling)-
Take a look at this link:
http://www.java2s.com/Code/VB/Databa...SQLcommand.htm
and look at the line that says:
cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value
= "Joe"
take note of the @fn which is in the line above:
Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee WHERE
FirstName = @fn", con)
you DO NOT want to do
"Select * from Employee where FirstName = " + Text1.Text
You might be using a Combo Box. If your combo box is generated by you,
then you are ok. But if the user generates the data within the combo
box - then be careful....
because of SQL injections.
Skim this article:
http://www.sitepoint.com/article/sql...n-attacks-safe ( at page 2
you will see the basic reason )
or by the middle of this article:
http://blog.colinmackay.net/archive/2007/06/24/77.aspx
basically someone can execute sql within your sql and change your data /
bypass your security / delete your data.
Hope this helps.
Miro
"bill" <bi**@bottlegarden.comwrote in message
news:ua**************@TK2MSFTNGP02.phx.gbl...>>Can someone please show me an example of passing a string value into an
sql statement in vb 2005? Something like this is what I''m after:
Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag =
Me.cboAsset.Text"
Thank you,
Bill
这篇关于使用VB 2005在sql语句中传递参数...的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
