我正在构建一个查询MSSQL数据库的小型VB应用程序,然后在列表框中显示这些结果。有一个TextBox(TextBox1),用户将在其中输入CharName,该CharName将用于选择数据库中的CharName以仅返回该用户的结果。我目前将sql查询编码为Button1。
所以我需要帮助的是从TextBox1获取输入并使用用户提供的输入替换sql查询中的Chars.CharName,以便在单击按钮时执行查询并使用结果填充ListBox1。
顺便说一下,我是一个VB(显然)的总菜鸟。
我到目前为止的代码是:
Public Class Form1
Private Sub Form1_Load(sender As System.Object, e As System.EventArgs) Handles MyBase.Load
End Sub
Private Sub TextBox1_Text(sender As System.Object, e As System.EventArgs) Handles TextBox1.TextChanged
End Sub
Private Sub Button1_Click(sender As System.Object, e As System.EventArgs) Handles Button1.Click
Dim sqlquery As String
sqlquery = ("SELECT Chars.CharName, CharItems.Type, CharItems.TypeID, CharItems.ItemName, CharItems.Bag, CharItems.Slot, CharItems.ItemUID, CharItems.Craftname, CharItems.Gem1, CharItems.Gem2, CharItems.Gem3, CharItems.Gem4, CharItems.Gem5, CharItems.Gem6 FROM Chars INNER JOIN CharItems ON Chars.CharID = CharItems.CharID WHERE ([CharName] = '" + TextBox1.Text + "'")
End Sub
Private Sub ListBox1_SelectedIndexChanged(sender As System.Object, e As System.EventArgs) Handles ListBox1.SelectedIndexChanged
End Sub
End Class
答案 0 :(得分:1)
您需要建立连接并从数据库中获取结果并将其存储在Datatable中,然后您可以将Datatable绑定到ListBox
答案 1 :(得分:0)
设置sqlquery的值时,您不需要在字符串文字周围使用括号,并且那里也存在拼写错误。
应该只是
Dim sqlquery As String
sqlquery = "SELECT Chars.CharName, CharItems.Type, CharItems.TypeID, CharItems.ItemName, CharItems.Bag, CharItems.Slot, CharItems.ItemUID, CharItems.Craftname, CharItems.Gem1, CharItems.Gem2, CharItems.Gem3, CharItems.Gem4, CharItems.Gem5, CharItems.Gem6 FROM Chars INNER JOIN CharItems ON Chars.CharID = CharItems.CharID WHERE [CharName] = '" + TextBox1.Text + "'"
使用这种方法存在SQL注入的整个问题,我不想进入这里,但是您真的应该阅读执行存储过程而不是原始SQL,以便您可以参数化您的输入。
答案 2 :(得分:0)
不是一个VB人,所以这不是我的头脑。请注意评论,但
'put these at the top of your code file:
imports System.Data.SqlClient
imports System.Data
'and this in the Button1_Click:
dim sql as string
dim cname as string
cname=TextBox1.Text
'never just directly accept the input from a textbox, etc, into an SQL query. Always use a parameter so prevent SQL Injection attacks.
sqlquery="SELECT Chars.CharName, CharItems.Type, CharItems.TypeID,CharItems.ItemName,CharItems.Bag, CharItems.Slot, CharItems.ItemUID, CharItems.Craftname, CharItems.Gem1, CharItems.Gem2, CharItems.Gem3, CharItems.Gem4, CharItems.Gem5, CharItems.Gem6 FROM Chars INNER JOIN CharItems ON Chars.CharID = CharItems.CharID WHERE Chars.CharName = @CharName"
using connection as SqlConnection = new SqlConnection(ConnectionString) 'substitute ConnectionString for the connection string to your database, where you get this from is beyond the scope of this code but it should be somewhere secure i.e app.config ConnectionStrings section
connection.Open()
using comm as SqlCommand = new SqlCommand(query,conn)
dim p as SqlParameter = new SqlParameter("CharName",cname)
comm.Parameters.Add(p)
dim rs as SqlDataReader = comm.ExecuteReader
dim dt as DataTable = new DataTable
dt.Fill(rs)
end using 'comm
end using 'conn
ListBox1.DisplayMember="CharName"
ListBox1.DataSource=dt
ListBox1.DataBind()