SQL Command.ExecuteReader vb.net [英] SQL Command.ExecuteReader vb.net

问题描述

我正在尝试在 SQL Express 2012 和 vb.net 中使用登录表单.我有数据库连接，现在我有以下问题；代码中 '=' 附近的语法不正确；数据 = 命令.ExecuteReader有什么建议?这是代码谢谢！！！！！！！！！

I am trying to use a login form with SQL Express 2012 and vb.net. I have the db connection, now I have the following problem; Incorrect syntax near '=' for the code ; data = command.ExecuteReader Any suggestions? Here is the code Thanks!!!!!!!

Imports System.Data.SqlClient
Imports System.Data.OleDb


Public Class login
Private Sub login_user_Click(sender As Object, e As EventArgs) Handles login_user.Click
    Dim conn As New SqlConnection
    If conn.State = ConnectionState.Closed Then
        conn.ConnectionString = ("Server=192.168.0.2;Database=Sunshinetix;User=sa;Password=sunshine;")
    End If

    Try
        conn.Open()
        Dim sqlquery As String = "SELECT = FROM Users Where Username = '" & username_user.Text & "';"
        Dim data As SqlDataReader
        Dim adapter As New SqlDataAdapter
        Dim command As New SqlCommand
        command.CommandText = sqlquery
        command.Connection = conn
        adapter.SelectCommand = command
        data = command.ExecuteReader()
        While data.Read
            If data.HasRows = True Then
                If data(2).ToString = password_user.Text Then
                    MsgBox("Sucsess")
                Else
                    MsgBox("Login Failed! Please try again or contact support")
                End If
            Else
                MsgBox("Login Failed! Please try again or contact support")
            End If
        End While
    Catch ex As Exception

    End Try
End Sub

结束课程

推荐答案

问题是您的查询是 SELECT = FROM 这显然是一个错字正确的语法是 SELECT * FROM.

The problem was that your query is SELECT = FROM which is obviously a typo the correct syntax is SELECT * FROM.

查看我的代码以避免SqlInjection

试试这个代码:

 Dim conn As New SqlConnection
    If conn.State = ConnectionState.Closed Then
        conn.ConnectionString = ("Server=192.168.0.2;Database=Sunshinetix;User=sa;Password=sunshine;")
    End If

    Try
        conn.Open()
        Dim sqlquery As String = "SELECT * FROM Users Where Username = @user;"

        Dim data As SqlDataReader
        Dim adapter As New SqlDataAdapter
        Dim parameter As New SqlParameter
        Dim command As SqlCommand = New SqlCommand(sqlquery, conn)
        With command.Parameters
            .Add(New SqlParameter("@user", password_user.Text))
        End With
        command.Connection = conn
        adapter.SelectCommand = command
        data = command.ExecuteReader()
        While data.Read
            If data.HasRows = True Then
                If data(2).ToString = password_user.Text Then
                    MsgBox("Sucsess")
                Else
                    MsgBox("Login Failed! Please try again or contact support")
                End If
            Else
                MsgBox("Login Failed! Please try again or contact support")
            End If
        End While
    Catch ex As Exception

    End Try

我建议您使用参数化查询来避免 SQL 注入

I would recommend to you use the parametrized query to avoid SQL Injection

这篇关于SQL Command.ExecuteReader vb.net的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！