为什么参数化查询不起作用 [英] Why parameterise query is not working

问题描述

当我在登录表单中检查用户名密码时，我遇到了愚蠢的问题，但是....但是它不起作用......



我是什么尝试过：

  Dim  ole  as   new  oledb.oledbcommnd（）
 ConnectData（）'  数据库连接程序 
 ole.connection = conn 
 Ole.commandText =   select * from login其中user ='@ usern'和pass ='@ pass' 
 
 Ole.parameters.add（   @ usern，oledbtype.varchar， 30 ）。value = username ' 用户名是字符串类型变量 
 ole.parameters.add （  @ pass，oledbtype.varchar， 30 ）。value = password ' 密码是字符串类型变量 
 
  Dim  dr  as  oledb.oledbdatareader = ole.executereader 
 
 如果 dr.read（）那么 
 dr.close 
 返回  true  
  Else  
 Dr.close 
 返回  false  
 结束 如果 

解决方案

使用参数时，不要对值使用撇号。因此，而不是

 Ole.commandText =   select *登录，其中user ='@ usern'和pass ='@ pass' 

尝试

 Ole.commandText =   select * from login where user = @usern and pass = @pass 

另一件事是你应该妥善处理这些物品。最简单的方法是使用使用块。例如，请查看正确执行数据库操作 [ ^ ]



第三件事是您似乎将密码存储为纯文本。如果确实如此，您应该尽快修复它。请查看密码存储：如何操作。 [< a href =http://www.codeproject.com/Tips/186585/Password-Storage-How-to-do-ittarget =_ blanktitle =New Window> ^ ]

I have got silly problem when i check username password in my login form but .... But its not working...

What I have tried:

Dim ole as new oledb.oledbcommnd()
ConnectData() ' database connection procedure
ole.connection = conn
Ole.commandText = "select * from login where user = '@usern' and pass = '@pass'"

Ole.parameters.add("@usern",oledbtype.varchar,30).value = username 'username is string type variable
ole.parameters.add("@pass",oledbtype.varchar,30).value = password 'password is string type variable

Dim dr as oledb.oledbdatareader = ole.executereader

if dr.read() then
   dr.close
   Return true
Else
   Dr.close
   Return false
End if

解决方案

When you use parameters, you don't use apostrophes for the values. So instead of

Ole.commandText = "select * from login where user = '@usern' and pass = '@pass'"

try

Ole.commandText = "select * from login where user = @usern and pass = @pass"

Another thing is that you should properly dispose the objects. The easiest way is to use using block. For examples, have a look at Properly executing database operations[^]

And the third thing is that you seem to store the password as plain text. If this really is the case, you should fix it as soon as possible. Have a look at Password Storage: How to do it.[^]

这篇关于为什么参数化查询不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！