SQL Command.ExecuteReader vb.net

时间:2014-01-24 18:32:46

标签: sql vb.net

我正在尝试使用SQL Express 2012和vb.net的登录表单。我有数据库连接,现在我有以下问题; 代码附近'='附近的语法不正确; data = command.ExecuteReader 有什么建议?这是代码 感谢!!!!!!! 

Imports System.Data.SqlClient
Imports System.Data.OleDb


Public Class login
Private Sub login_user_Click(sender As Object, e As EventArgs) Handles login_user.Click
    Dim conn As New SqlConnection
    If conn.State = ConnectionState.Closed Then
        conn.ConnectionString = ("Server=192.168.0.2;Database=Sunshinetix;User=sa;Password=sunshine;")
    End If

    Try
        conn.Open()
        Dim sqlquery As String = "SELECT = FROM Users Where Username = '" & username_user.Text & "';"
        Dim data As SqlDataReader
        Dim adapter As New SqlDataAdapter
        Dim command As New SqlCommand
        command.CommandText = sqlquery
        command.Connection = conn
        adapter.SelectCommand = command
        data = command.ExecuteReader()
        While data.Read
            If data.HasRows = True Then
                If data(2).ToString = password_user.Text Then
                    MsgBox("Sucsess")
                Else
                    MsgBox("Login Failed! Please try again or contact support")
                End If
            Else
                MsgBox("Login Failed! Please try again or contact support")
            End If
        End While
    Catch ex As Exception

    End Try
End Sub

结束班

3 个答案:

答案 0 :(得分:10)

问题在于您的查询是SELECT = FROM,这显然是错误,正确的语法是SELECT * FROM

请参阅我的代码以避免SqlInjection

enter image description here

试试这段代码:

 Dim conn As New SqlConnection
    If conn.State = ConnectionState.Closed Then
        conn.ConnectionString = ("Server=192.168.0.2;Database=Sunshinetix;User=sa;Password=sunshine;")
    End If

    Try
        conn.Open()
        Dim sqlquery As String = "SELECT * FROM Users Where Username = @user;"

        Dim data As SqlDataReader
        Dim adapter As New SqlDataAdapter
        Dim parameter As New SqlParameter
        Dim command As SqlCommand = New SqlCommand(sqlquery, conn)
        With command.Parameters
            .Add(New SqlParameter("@user", password_user.Text))
        End With
        command.Connection = conn
        adapter.SelectCommand = command
        data = command.ExecuteReader()
        While data.Read
            If data.HasRows = True Then
                If data(2).ToString = password_user.Text Then
                    MsgBox("Sucsess")
                Else
                    MsgBox("Login Failed! Please try again or contact support")
                End If
            Else
                MsgBox("Login Failed! Please try again or contact support")
            End If
        End While
    Catch ex As Exception

    End Try

我建议您使用参数化查询来避免SQL Injection

答案 1 :(得分:5)

更改

SELECT = FROM Users ....

SELECT * FROM Users ....

答案 2 :(得分:0)

您的查询中有一个额外的=,在选择关键字后不应该有任何=。

Dim sqlquery As String = "SELECT * FROM Users Where Username = '" & username_user.Text & "';"
相关问题
最新问题