这是我如何在vb.net中的MYSQL上插入一个新人
Dim cmd2 As New MySqlCommand("INSERT INTO login (username, password) VALUES (username ,
password)", db_con)
还是有更好的方法。
答案 0 :(得分:1)
使用参数化查询来防止SQL注入或甚至更好地使用存储过程。
Imports System
Imports System.Collections.Generic
Imports System.Linq
Imports System.Text
Imports System.Data
Imports MySql.Data
Imports MySql.Data.MySqlClient
Module Module1
Sub Main()
Dim conn As New MySqlConnection()
conn.ConnectionString = "xyz"
Dim cmd As New MySqlCommand()
'Here we execute a command to insert data via stored procedure
Try
Console.WriteLine("Connecting to MySQL...")
conn.Open()
cmd.Connection = conn
cmd.CommandText = "add_emp"
cmd.CommandType = CommandType.StoredProcedure
cmd.Parameters.AddWithValue("@uname", "Jeremy")
cmd.Parameters("@uname").Direction = ParameterDirection.Input
cmd.Parameters.AddWithValue("@pword", "123abc")
cmd.Parameters("@pword").Direction = ParameterDirection.Input
cmd.Parameters.AddWithValue("@empno", MySqlDbType.Int32)
cmd.Parameters("@empno").Direction = ParameterDirection.Output
cmd.ExecuteNonQuery()
Console.WriteLine("Employee number: " & cmd.Parameters("@empno").Value)
Catch ex As MySql.Data.MySqlClient.MySqlException
Console.WriteLine(("Error " & ex.Number & " has occurred: ") + ex.Message)
End Try
conn.Close()
Console.WriteLine("Done.")
End Sub
End Module
Sub Main()
Dim conn As New MySqlConnection()
conn.ConnectionString = "server=localhost;user=root;database=world;port=3306;password=******;"
Dim cmd As New MySqlCommand()
'HERE WE EXECUTE A COMMAND TO CREATE THE TABLE AND STORED PROCEDURE
Try
Console.WriteLine("Connecting to MySQL...")
conn.Open()
cmd.Connection = conn
cmd.CommandText = "DROP PROCEDURE IF EXISTS add_emp"
cmd.ExecuteNonQuery()
cmd.CommandText = "DROP TABLE IF EXISTS emp"
cmd.ExecuteNonQuery()
cmd.CommandText = "CREATE TABLE emp (empno INT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, user_name VARCHAR(20), password VARCHAR(20))"
cmd.ExecuteNonQuery()
cmd.CommandText = "CREATE PROCEDURE add_emp(" & "IN uname VARCHAR(20), IN pword VARCHAR(20), OUT empno INT)" & "BEGIN INSERT INTO emp(user_name, password, birthdate) " & "VALUES(uname, pword); SET empno = LAST_INSERT_ID(); END"
cmd.ExecuteNonQuery()
Catch ex As MySqlException
Console.WriteLine(("Error " & ex.Number & " has occurred: ") + ex.Message)
End Try
conn.Close()
Console.WriteLine("Connection closed.")
End Sub
答案 1 :(得分:1)
为了防止SQL注入,你必须使用参数化查询。我给你一个函数的参考,你必须使你的函数像这样的东西,如
插入功能
Public Shared Function InsertFile(ByVal name As String, ByVal pwd As String) As Integer
Dim sql As String
sql = "insert into login (username,password) values (?uname, ?upass);"
Dim params1(2) As MySqlParameter
params1(1) = New MySqlParameter("?uname", name )
params1(2) = New MySqlParameter("?upass", pwd )
Return MySqlHelper.ExecuteNonQuery(sql, params1)
End Function
现在创建一个新的 ExecuteNonQuery 函数来执行查询
执行非查询功能
Public Shared Function ExecuteNonQuery(ByVal sql As String, ByVal params() As MySqlParameter) As Integer
Dim cnn As New MySqlConnection(connectionstring)
Dim cmd As New MySqlCommand(sql, cnn)
For i As Integer = 0 To params.Length - 1
cmd.Parameters.Add(params(i))
Next
cnn.Open()
Dim retval As Integer = cmd.ExecuteNonQuery()
cnn.Close()
Return retval
End Function
就是这样,希望你明白。
答案 2 :(得分:0)
INSERT INTO登录(用户名,密码)VALUES(?,?)