“#”;'附近的语法不正确。 Dim temp As Integer = Convert.ToInt32(cmd.ExecuteScalar()。ToString())

时间:2017-08-30 11:50:28

标签: sql vb.net visual-studio-2015

  

')附近的语法错误。

     

描述:执行当前Web请求期间发生了未处理的异常。请查看堆栈跟踪以获取有关错误及其源自代码的位置的更多信息。

     

异常详细信息:System.Data.SqlClient.SqlException:')'附近的语法不正确。

错误来源:

Dim cmd As SqlCommand = New SqlCommand(checkuser, con)
Dim temp As Integer = Convert.ToInt32(cmd.ExecuteScalar().ToString())
con.Close()

完整代码:

Protected Sub Buttonlogin_Click(sender As Object, e As EventArgs) Handles Buttonlogin.Click
    If (Page.IsPostBack) Then

        Dim con As New SqlConnection("Data Source=.;Initial Catalog=DMS;User ID=sa;Password=football2u")

        con.Open()
        Dim checkuser As String = "Select count from DMSRegform where Username ='" + TextBoxuser.Text + "')"
        Dim cmd As SqlCommand = New SqlCommand(checkuser, con)

        Dim temp As Integer = Convert.ToInt32(cmd.ExecuteScalar().ToString())
        con.Close()

        If temp = 1 Then
            con.Open()
            Dim checkpasswordquery As String = "Select password from DMSRegform Where Username ='" + TextBoxpass.Text + "')"
            Dim Passwordcmd As SqlCommand = New SqlCommand(checkpasswordquery, con)
            Dim password As String = Passwordcmd.ExecuteScalar().ToString()

            If password = TextBoxpass.Text Then
                'Session["New"] = Textboxuser.text
                Response.Write("Password correct")
            Else
                Response.Write("Password is incorrect")
            End If
        Else
            Response.Write("Username is incorrect")
        End If
    End If
End Sub

2 个答案:

答案 0 :(得分:2)

您的查询末尾有一个右括号),但没有匹配的左括号。只需删除它。

此外,您的代码容易受到SQL Injection的攻击。如果有人决定进入该怎么办:

'; DROP TABLE DMSRegform; --

TextBoxuser

您肯定应该切换到parameterized query以避免出现安全问题:

Dim checkuser As String = "Select count from DMSRegform where Username = @User"

Dim cmd As SqlCommand = New SqlCommand(checkuser, con)

cmd.Parameters.Add("@User", SqlDbType.VarChar, <maximum column length>).Value = TextBoxuser.Text

答案 1 :(得分:1)

Dim checkuser As String = "Select count from DMSRegform where Username ='" + TextBoxuser.Text + "')"
....
Dim checkpasswordquery As String = "Select password from DMSRegform Where Username ='" + TextBoxpass.Text + "')"

为什么要在查询中添加最终)?删除它们中的),它应该没问题。

也绝不使用字符串连接来撰写查询。使用参数化查询,或者您将接触到Sql Injection。

相关问题
最新问题