我试图从访问数据库中检索数据.....简单的搜索，但得到错误请帮助我 [英] im trying to retrieve data from access database..... simple search but getting error help me please

问题描述

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.Data.OleDb;

namespace data_retrive
{
    public partial class Form1 : Form
    {
        private OleDbConnection connection = new OleDbConnection();
        public Form1()
        {
            InitializeComponent();
            connection.ConnectionString = @"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\Users\SunilK\Desktop\ISES-V4\DB.accdb;
Persist Security Info=False;";
        }

        private void Form1_Load(object sender, EventArgs e)
        {

        }

        private void button1_Click(object sender, EventArgs e)
        {
            DataTable dt = new DataTable();
            connection.Open();
            OleDbDataReader dr = null;
            OleDbCommand cmd = new OleDbCommand("SELECT [sub1], [sub2], [sub3], [sub4], [sub5] FROM Marks WHERE ([ID] = "+ textBox1.Text +") ", connection);
        
            dr = cmd.ExecuteReader();
            while (dr.Read())
            {
                textBox2.Text = (dr["sub1"].ToString());
                textBox3.Text = (dr["sub2"].ToString());
                textBox4.Text = (dr["sub3"].ToString());
               
            }
            connection.Close();
        }
    }
}

推荐答案

在不知道确切错误信息的情况下，很难说，但首先要做的是停止连接字符串以形成SQL命令。它是危险的，因为它让您对SQL注入攻击持开放态度，这可能会意外或故意破坏或破坏您的数据库。您应该始终使用参数化查询：

Without knowing the exact error message, it's difficult to say, but the first thing to do is to stop concatenating strings to form an SQL command. It's dangerous, because it leaves you wide open to SQL Injection attacks which can accidentally or deliberately damage or destroy your database. You should always use parameterized queries:

OleDbCommand cmd = new OleDbCommand("SELECT [sub1], [sub2], [sub3], [sub4], [sub5] FROM Marks WHERE [ID] = @ID", connection);
cmd.Parameters.AddWithValue("@ID", textBox1.Text);
dr = cmd.ExecuteReader();

这很可能会解决您目前遇到的问题 - 但如果没有，我们需要知道确切的错误信息和哪一行它正在发生。

There is a very good chance that that will cure the problem you are having at the moment as well - but if it doesn't, we need to know the exact error message and which line it is occurring on.

如果您的ID列是一个字符串，您 将 引用 textBox1 .Text ：

If your ID-column is a string you would have to quote textBox1.Text:

"SELECT [sub1], [sub2], [sub3], [sub4], [sub5] FROM Marks WHERE ([ID] = '"+ textBox1.Text +"')"

但是：你不应该通过将值连接为文字来构建查询字符串。



相反，您应该使用SQL-Parameters。请参阅我之前的一个答案，其中我写了一个示例性的良好实践数据库访问。我还解释了SQL参数的优点：



如何循环sql server表来创建datagridview - sql表字段匹配csv字段 [ ^ ]



不幸的是，代码格式有点混乱，因为这个网站存在轻微的错误。代码中有一个< pre> -Tag，不属于那里，最后一行不再是代码块的一部分。



编辑：复制和粘贴综合症已修复（第一句）

But: You shouldn't build your query-strings by concatenating the values as literals anyway.

Instead you should use SQL-Parameters. Please see one of my previous answers where I wrote an exemplary "good practice" database-access. I also explain there the advantages of SQL-Parameters:

how to loop sql server table to create a datagridview - sql table field matches csv field[^]

The code-formatting is a bit messed up there, unfortunately, because of slight bugs with this website. There's a <pre>-Tag in the code that doesn't belong there and the last line isn't part of the code-block any more.

copy&paste syndrome fixed (first sentence)

这篇关于我试图从访问数据库中检索数据.....简单的搜索，但得到错误请帮助我的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！