显示错误读取时间没有详细信息显示...请帮助我。 [英] Showing error read time no details show... Please help me.

问题描述

显示错误读取时间没有详细信息显示...请帮助我。
这两行

 cmbpartynm.Text = dr（ prtynm）
 cmbinvtype.Text = dr（invtyp）

如果我删除第1行然后错误显示第2行

请帮帮我



001 - imgbb.com [ ^ ]

002 - imgbb.com [ ^ ]

003 - imgbb.com [ ^ ]

004 - imgbb.com [ ^ ]

001 - imgbb.com [ ^ ]



请看链接，请帮助我。你说SQL注入或我的编码部分的这部分。我不懂英文，请原谅我。



如果我关闭这两行然后没有错误

cmbpartynm.Text = dr （prtynm）

cmbinvtype.Text = dr（invtyp）



我在这两个combox中运行两个privet sub加载事件。我认为问题来自这里。所以，我停止运行这两个女贞子。没有错误和问题。

两个Privet Sub是---------------



1）对于聚会名称combox

 Private Sub loadpartyNAME（）
 Call connection（）
'unmcmb.Enabled = False 
 Dim ds As New DataSet 
 Dim dt As New DataTable 
 Dim da As New OleDb.OleDbDataAdapter 
 da = New OleDb.OleDbDataAdapter（select * from party_ldg，cn）
 da.Fill（ ds，party_ldg）
 ds.Tables（0）.DefaultView.Sort =prtynm
'cn.Close（）
使用cmbpartynm 
 .DataSource = ds.Tables （party_ldg）
 .DisplayMember =prtynm
'.ValueMember =UNTid
以
 End Sub结束

2）对于Inv类型（现金/信用箱）

 Private Sub loadinvoicetype（）
调用连接（）
'unmcmb.Enabled = False 
 Dim ds As New DataSet 
'Dim dt As New DataTable 
 Dim da As New OleDb.OleDbDataAdapter 
 
 da =新OleDb.OleDbDataAdapter（select * from inv_type，cn）
 da.Fil l（ds，inv_type）
 ds.Tables（0）.DefaultView.Sort =invtyp
'cn.Close（）
使用cmbinvtype 
 .DataSource = ds .Tables（inv_type）
 .DisplayMember =invtyp
'.ValueMember =UNTid
以
 
结束Sub  
 
 
 
 我的尝试： 
 
 
 
 
如果cn.State = ConnectionState.Open则
 cn.Close（）
结束如果
 cn.Open（）
调用connection（）
 Dim str As String 
 str =SELECT * FROM party_ldg，inv_type，pur_inv WHERE pur_inv.partyIDpur = party_ldg.partyID and pur_inv.invtypidpur = inv_type.invtypid and purinvid ='& TextBox1.Text& '
 Dim cm As OleDb.OleDbCommand = New OleDb.OleDbCommand（str，cn）
 dr = cm.ExecuteReader 
 while dr.Read（）
'txtpurinvid.Text = dr（purinvid）
 txtminvdt.Text = dr（purinvdt）
 txtpurinvno.Text = dr（invno）
 txtmpurinvdt.Text = dr（invdt）
 txttotaltaxable.Text = dr（tottaxblamt）
 txttotaltaxamt.Text = dr（taxamt）
 txtinvamt.Text = dr（invamt）
 txtnrr.Text = dr （nrr）
 cmbpartynm.Text = dr（prtynm）
 cmbinvtype.Text = dr（invtyp）
 txtpartyid.Text = dr（partyIDpur）
 txtinvtypeid.Text = dr（invtypidpur）
 End 
'Button5_Click（sender，e）
'Button2_Click（sender，e）
 End Sub 
 
解决方案
 
不要这样做！永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。改为使用参数化查询。
 
 
 
这可能赢了;立即解决你的原始问题，但它会在以后保存你的数据库... 
 
 
 
我们无法为您解决 - 我们无法访问您需要的数据，以便查看实际发生的情况。所以，它取决于你。
 
在函数的第一行放置断点，并通过调试器运行代码。然后查看您的代码，并查看您的数据并找出手动应该发生的事情。然后单步执行每一行检查您预期发生的情况正是如此。如果不是，那就是当你遇到问题时，你可以回溯（或者再次运行并仔细观察）以找出原因。 
 
 
对不起，但我们不能为你做到这一点 - 时间让你学习一种新的（非常非常有用的）技能：调试！
 
 
不是你问题的解决方案，而是另一个你有问题。
 
永远不要通过连接字符串来构建SQL查询。迟早，您将使用用户输入来执行此操作，这会打开一个名为SQL注入的漏洞，这对您的数据库很容易并且容易出错。
 
名称中的单引号你的程序崩溃。如果用户输入像Brian O'Conner这样的名称可能会使您的应用程序崩溃，那么这是一个SQL注入漏洞，崩溃是最少的问题，恶意用户输入，并且它被提升为具有所有凭据的SQL命令。 
 
  SQL注入 - 维基百科 [ ^ ] 
 
  SQL注入 [ ^ ] 
 
 ----- 
 
有一个工具可以让你看到你的代码在做什么，它的名字是调试器。它也是一个很好的学习工具，因为它向你展示了现实，你可以看到哪种期望与现实相符。
 
当你不明白你的代码在做什么或为什么它做它做的时候，答案就是答案是调试器。
 
使用调试器查看代码正在执行的操作。只需设置断点并查看代码执行情况，调试器允许您逐行执行第1行并在执行时检查变量。
 
 
 
 调试器 - 维基百科，免费的百科全书 [ ^ ] 
 
 
 
 掌握Visual Studio 2010中的调试 - 初学者指南 [ ^ ] 
 
 使用Visual Studio 2010进行基本调试 -  YouTube  [ ^ ] 
 
  Visual Basic / Visual Studio视频导师ial  - 基本调试 -  YouTube  [ ^ ] 
 
 初学者的Visual Basic .NET编程 - 断点和调试工具 [ ^ ] 
 
调试器在这里向您展示您的代码正在做什么，您的任务是与它应该做什么进行比较。
 
调试器中没有魔法，它没有发现错误，它只是帮助你到。当代码没有达到预期的效果时，你就会接近一个错误。
 
 
showing error read time no details show... please help me.

in this two line 

cmbpartynm.Text = dr("prtynm")
cmbinvtype.Text = dr("invtyp")


if i delete the 1st line then error show the 2nd line 

please help me 



001 — imgbb.com[^]

002 — imgbb.com[^]

003 — imgbb.com[^]

004 — imgbb.com[^]

001 — imgbb.com[^]



Please see the link and please help me. You saying about this portion for "SQL Injection" or my coding portion. I don't know better English, please forgive me.



if I off this two line then no error

cmbpartynm.Text = dr("prtynm")

cmbinvtype.Text = dr("invtyp")



I run two privet sub in this two combox in form load event. I think problem is come from here. So, I stop the run this two privet sub. the no error and o problem.

Two Privet Sub Is---------------



1) for party name combox

Private Sub loadpartyNAME()
Call connection()
' unmcmb.Enabled = False
Dim ds As New DataSet
Dim dt As New DataTable
Dim da As New OleDb.OleDbDataAdapter
da = New OleDb.OleDbDataAdapter("select * from party_ldg", cn)
da.Fill(ds, "party_ldg")
ds.Tables(0).DefaultView.Sort = "prtynm"
' cn.Close()
With cmbpartynm
.DataSource = ds.Tables("party_ldg")
.DisplayMember = "prtynm"
'.ValueMember = "UNTid"
End With
End Sub




2) For Inv Type(cash/credit combox)



Private Sub loadinvoicetype()
Call connection()
' unmcmb.Enabled = False
Dim ds As New DataSet
' Dim dt As New DataTable
Dim da As New OleDb.OleDbDataAdapter

da = New OleDb.OleDbDataAdapter("select * from inv_type", cn)
da.Fill(ds, "inv_type")
ds.Tables(0).DefaultView.Sort = "invtyp"
' cn.Close()
With cmbinvtype
.DataSource = ds.Tables("inv_type")
.DisplayMember = "invtyp"
'.ValueMember = "UNTid"
End With

End Sub




What I have tried:



If cn.State = ConnectionState.Open Then
            cn.Close()
        End If
        cn.Open()
        Call connection()
        Dim str As String
        str = "SELECT * FROM party_ldg,inv_type,pur_inv  WHERE pur_inv.partyIDpur=party_ldg.partyID and pur_inv.invtypidpur=inv_type.invtypid and purinvid = '" & TextBox1.Text & "'"
        Dim cm As OleDb.OleDbCommand = New OleDb.OleDbCommand(str, cn)
        dr = cm.ExecuteReader
        While dr.Read()
            '     txtpurinvid.Text = dr("purinvid")
            txtminvdt.Text = dr("purinvdt")
            txtpurinvno.Text = dr("invno")
            txtmpurinvdt.Text = dr("invdt")
            txttotaltaxable.Text = dr("tottaxblamt")
            txttotaltaxamt.Text = dr("taxamt")
            txtinvamt.Text = dr("invamt")
            txtnrr.Text = dr("nrr")
            cmbpartynm.Text = dr("prtynm")
            cmbinvtype.Text = dr("invtyp")
            txtpartyid.Text = dr("partyIDpur")
            txtinvtypeid.Text = dr("invtypidpur")
        End While
        ' Button5_Click(sender, e)
        'Button2_Click(sender, e)
    End Sub
解决方案
Don;t do it like that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.



That probably won;t solve your original problem immediately, but it'll save your DB later on...



We can't solve it for you - we don't have access to your data, which you need in order to look at what is actually happening. So, its going to be up to you.

Put a breakpoint on the first line in the function, and run your code through the debugger. Then look at your code, and at your data and work out what should happen manually. Then single step each line checking that what you expected to happen is exactly what did. When it isn't, that's when you have a problem, and you can back-track (or run it again and look more closely) to find out why.



Sorry, but we can't do that for you - time for you to learn a new (and very, very useful) skill: debugging!

Not a solution to your question, but another problem you have.

Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.

A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.

SQL injection - Wikipedia[^]

SQL Injection[^]

-----

There is a tool that allow you to see what your code is doing, its name is debugger. It is also a great learning tool because it show you reality and you can see which expectation match reality.

When you don't understand what your code is doing or why it does what it does, the answer is debugger.

Use the debugger to see what your code is doing. Just set a breakpoint and see your code performing, the debugger allow you to execute lines 1 by 1 and to inspect variables as it execute.



Debugger - Wikipedia, the free encyclopedia[^]



Mastering Debugging in Visual Studio 2010 - A Beginner's Guide[^]

Basic Debugging with Visual Studio 2010 - YouTube[^]

Visual Basic / Visual Studio Video Tutorial - Basic Debugging - YouTube[^]

Visual Basic .NET programming for Beginners - Breakpoints and Debugging Tools[^]

The debugger is here to show you what your code is doing and your task is to compare with what it should do.

There is no magic in the debugger, it don't find bugs, it just help you to. When the code don't do what is expected, you are close to a bug.


                        
这篇关于显示错误读取时间没有详细信息显示...请帮助我。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！