数据类型不匹配是警告（visual basic 2008） [英] data type mismatch is the warning(visual basic 2008)

问题描述

Private Sub btnedit_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnedit.Click
    connect.Open()
    Dim cmd As OleDb.OleDbCommand = New OleDb.OleDbCommand("SELECT * FROM tbluser", connect)
    sql = "update tbluser set  Username ='" & TextBox2.Text & "', Password ='" & TextBox3.Text & "', Userlevel ='" & ComboBox1.Text & "'where IDnumber= '" & TextBox1.Text & "'"
    cmd = New OleDb.OleDbCommand(sql, connect)
    cmd.ExecuteNonQuery()
    connect.Close()
    MsgBox("Updated")
End Sub

Private Sub btndelete_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btndelete.Click
    connect.Open()
    Dim cmd As OleDb.OleDbCommand = New OleDb.OleDbCommand("Select * from tbluser where IDnumber ='" & TextBox1.Text & "'", connect)
    Dim sdr As OleDb.OleDbDataReader = cmd.ExecuteReader
    If (MsgBox("Are you sure you want to delete this record?", vbOKCancel) = vbOK) Then
        sql = "Delete * from tblUser where userid='" & TextBox1.Text & "'"
        cmd = New OleDb.OleDbCommand(sql, connect)
        cmd.ExecuteNonQuery()
        connect.Close()
    Else
        MsgBox("Operation Cancelled")
        connect.Close()
        Exit Sub
    End If
End Sub

推荐答案

您应该使用参数化查询技术而不是内联查询。它不仅可以帮助您传递具有适当数据类型的参数，还可以阻止应用程序进行 SQL注入攻击。



参考 - 使用参数化查询来防止SQL中的SQL注入攻击服务器 [ ^ ]。

You should use Parameterized Query technique instead of inline query. It not only helps you to pass the parameter with appropriate datatype, but also prevents the application from SQL Injection Attacks.

Refer - Using Parameterized queries to prevent SQL Injection Attacks in SQL Server[^].

这篇关于数据类型不匹配是警告（visual basic 2008）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！