我正在尝试使用paramatized搜索来阻止sql注入。但是错误 “没有给出一个或多个必需参数的值”。来自
Dim sql As String
Call connect()
con.Open()
sql = "Select * from Records where Customer_ID=@CustomerID"
cmd.Parameters.AddWithValue("@CustomerID", Txt_Customer_ID.Text)
cmd = New OleDbCommand(sql, con)
dr = cmd.ExecuteReader
While dr.Read
Txt_Customer_ID.Text = dr(0)
Txt_Customer_Name.Text = dr(1)
Txt_Customer_Contact.Text = dr(2)
Txt_Delivery_Method.Text = dr(3)
Txt_Reference.Text = dr(4)
End While
con.Close()
数据库中的Customer_ID字段是文本类型,我需要知道如何完成此搜索而不会遇到错误
答案 0 :(得分:2)
得到了答案!感谢所有尝试过的人
cmd.Parameters.AddWithValue("@CustomerID", Txt_Customer_ID.Text)
行必须低于
cmd = New OleDbCommand(sql, con)
以下是适用的代码
Dim sql As String
Call connect()
con.Open()
sql = "Select * from Records where Customer_ID=@CustomerID"
cmd = New OleDbCommand("Select * from Records where Customer_ID=@CustomerID", con)
cmd.Parameters.AddWithValue("@CustomerID", Txt_Customer_ID.Text)
dr = cmd.ExecuteReader
While dr.Read
Txt_Customer_ID.Text = dr(0)
Txt_Customer_Name.Text = dr(1)
Txt_Customer_Contact.Text = dr(2)
Txt_Delivery_Method.Text = dr(3)
Txt_Reference.Text = dr(4)
End While
con.Close()
答案 1 :(得分:1)
按此更改订单
cmd = New OleDbCommand(sql, con)
cmd.Parameters.AddWithValue("@CustomerID", Txt_Customer_ID.Text)