如何重写此MySQL查询以包含参数?

时间:2013-02-22 22:14:34

标签: mysql vb.net

晚上好,

我今天整天都在工作,但没有用。我使用下面的代码在文本框中输入用户输入并搜索数据库(作为用户类型)并在ListView控件中显示结果。它按原样工作,但我知道它不安全,因为它没有参数化。我知道如何将参数添加到MySQLCommand对象,但无法弄清楚如何将其添加到查询中。非常感谢任何帮助,谢谢。

这是我的代码:

Private Sub TextBoxSearch_TextChanged(sender As Object, e As System.EventArgs) Handles TextBoxSearch.TextChanged

    Dim dbConn As New MySqlConnection(String.Format("Server={0};Port={1};Uid={2};Password={3};Database=accounting", FormLogin.ComboBoxServerIP.SelectedItem, My.Settings.DB_Port, My.Settings.DB_UserID, My.Settings.DB_Password))
    Dim dbQuery As String = ""
    Dim dbCmd As New MySqlCommand
    Dim dbReader As MySqlDataReader
    Dim a, b, c, d, f, g

    Try
        dbQuery = "SELECT * FROM cc_master INNER JOIN customer ON customer.accountNumber = cc_master.customer_accountNumber " & _
            "WHERE nameCOMPANY OR accountNumber LIKE '%" & TextBoxSearch.Text & "%' " & _
            "ORDER BY nameCOMPANY ASC"
        dbConn.Open()
        dbCmd = New MySqlCommand(dbQuery, dbConn)
        dbReader = dbCmd.ExecuteReader()

        ListViewRecords.Items.Clear()

        Do While dbReader.Read()

            a = (dbReader.Item("ccID").ToString())
            b = (dbReader.Item("accountNumber").ToString())
            c = (dbReader.Item("nameCOMPANY").ToString())
            d = DecryptCard(dbReader.Item("ccNumber").ToString())
            f = (dbReader.Item("ccExpireMonth").ToString())
            g = (dbReader.Item("ccExpireYear").ToString())

            Dim item As ListViewItem = ListViewRecords.Items.Add(a)
            item.SubItems.Add(b)
            item.SubItems.Add(c)
            item.SubItems.Add(d)
            item.SubItems.Add(f)
            item.SubItems.Add(g)
        Loop
        dbReader.Close()
    Catch ex As Exception
        MessageBox.Show("A DATABASE ERROR HAS OCCURED" & vbCrLf & vbCrLf & ex.Message & vbCrLf & _
                            vbCrLf + "Please report this to the IT/Systems Helpdesk at Ext 131.")
    End Try
    dbConn.Close()
    dbCmd.Dispose()

End Sub

2 个答案:

答案 0 :(得分:2)

我假设您的问题是通配符无法正常工作。这不起作用,因为参数不能用引号括起来。

dbQuery = "SELECT * FROM cc_master INNER JOIN customer ON customer.accountNumber = cc_master.customer_accountNumber " & _
        "WHERE nameCOMPANY OR accountNumber LIKE '%?ParameterName%' " & _
        "ORDER BY nameCOMPANY ASC"

要修复此问题,您可以先将通配符连接到参数中,然后将其插入查询中。

Dim parameter = "%" & TextBoxSearch.Text & "%"

dbQuery = "SELECT * FROM cc_master INNER JOIN customer ON customer.accountNumber = cc_master.customer_accountNumber " & _
        "WHERE nameCOMPANY OR accountNumber LIKE ?ParameterName " & _
        "ORDER BY nameCOMPANY ASC"

答案 1 :(得分:0)

你的意思是:

    dbQuery = "SELECT * FROM cc_master INNER JOIN customer " & _
        "ON customer.accountNumber = cc_master.customer_accountNumber " & _
        "WHERE nameCOMPANY OR accountNumber LIKE '%' + ? + '%' " & _
        "ORDER BY nameCOMPANY ASC"

    dbConn.Open()
    dbCmd.Connection = dbConn
    dbCmd.CommandType = CommandType.Text
    dbCmd.CommandText = dbQuery
    dbCmd.Parameters.AddWithValue("?", TextBoxSearch.Text)
    dbReader = dbCmd.ExecuteReader()

但是,我认为使用存储过程并将参数传递给http://www.mysqltutorial.org/stored-procedures-parameters.aspx

可能会更好