VB SQL语句没有选择正确的行

时间:2014-05-01 02:00:36

标签: sql vb.net visual-studio ms-access select

我正在尝试使用SELECT语句来“选择”我的数据库中的某个人,并且它没有选择正确的人,我也不确定为什么。

我正在使用访问数据库。

数据库连接代码:

Imports System.Data.OleDb

Module Database_Connection

Public provider As String 'This will tell VS what database source type to use.
Public datafile As String 'This will provide the file itself that VS will use.
Public connstring As String 'This is the connection string that will tie the Provider and Datafile together so that we can make a physical connection
Public myconnection As OleDbConnection = New OleDbConnection 'Set's the variable myconnection as a new Connection to the database using the OleDb type.
Public dr As OleDbDataReader 'This will be used to read data from the database.


Public Sub Access_Database()

    provider = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source ="
    datafile = "Folly_Beach_Data.accdb"
    connstring = provider & datafile
    myconnection.ConnectionString = connstring

    Try

        myconnection.Open() 'Opens the connection to test it.

    Catch ex As Exception

        MessageBox.Show("Error" & vbCrLf & vbCrLf & "Original Error: " & ex.ToString)

        'This is an error that most likely many people will recieve on their computers. I noticed the problem a 
        'while ago and looked for a way to fix it. This is both the easiest and only method to correct the error stated below.
        'It doesn't force you to download anything, you have to select the option to do so.
        If MsgBox("If you received an error that states: " & vbCrLf _
                  & Quotes & "The microsoft.ACE.OLEDB.12.0' provider is not registered on the local machine." _
                  & Quotes & "Please press ok to install the database engine: ", MsgBoxStyle.OkCancel, _
                  "Error") = MsgBoxResult.Ok Then

            System.Diagnostics.Process.Start("http://www.microsoft.com/en-us/download/confirmation.aspx?id=23734")
            'This opens the webpage to directly download the file. As soon as you press okay on the messagebox the file is
            'instantly ready for download.

        ElseIf MsgBoxResult.Cancel Then

            MessageBox.Show("Here is the link for future reference if you would like to download it at a later time: " _
                            & vbCrLf & vbCrLf & "http://bit.ly/19FWu09", "For later")
            'I case you are untrusting of the file or cannot download it at the present time, it gives a link for later installation

            ConnectionError = True 'For Description view "MyVariables"

            myconnection.Close() 'Closes the connection

        End If



    Finally

        'If myconnection.State = ConnectionState.Open Then
        '    MessageBox.Show("The database was successfully connected to", "Success", MessageBoxButtons.OK)
        'End If

        ConnectionError = False

        myconnection.Close()
        'Closes the connection so we can open at a later time. 
        'Trying to re-use or re-open a connection string will crash the progrm.

    End Try

End Sub

结束模块

这就是我在我的代码中选择这个人的地方:

请注意,我会检查电话号码以及邮政编码,看看那个人是否是那个人。 (这是不安全的,我意识到。这是一个学校项目)。所以我在开始时使用两个SELECT语句来检查人员信息。它工作正常。如果手机号码正确但拉链不正确,则表明手机不正确且无法继续。我就像嵌套的SELECT语句一样。

 Private Sub ReturningCheck()

    Dim Phone As String = Phonetxt.Text
    Dim Zip As String = ziptxt.Text

    GuestFound = False

    Try

        myconnection.Open()

        Dim str As String

        str = "SELECT * FROM Customers WHERE Customer_Phone_Number='" & Phone & "'"

        Dim cmd As OleDbCommand = New OleDbCommand(str, myconnection)

        dr = cmd.ExecuteReader

        If dr.Read Then

            str = "Select * FROM Customers WHERE Customer_Address_Zip='" & Zip & "'"

            cmd = New OleDbCommand(str, myconnection)

            dr = cmd.ExecuteReader

            If dr.Read Then

                GuestName = dr("Customer_Name")

                MessageBox.Show("Welcome back " & GuestName & ".")

                GuestFound = True

            Else

                MessageBox.Show("The Phone number Matches but the zipcode does not, please re-enter the zip code that you first signed up with.")
                ziptxt.Focus()
                ziptxt.SelectAll()

            End If

        Else

            MessageBox.Show("That phone number does not exist in our records please re-enter the phone number in the format of 8001231234")
            Phonetxt.Focus()
            Phonetxt.SelectAll()

        End If

    Catch ex As Exception

        MessageBox.Show("There was an error retrieving your information from the database" _
                         & vbCrLf & vbCrLf & "Original Error: " & ex.ToString, _
                        "Error", MessageBoxButtons.OK, MessageBoxIcon.Error)

    Finally

        myconnection.Close()

    End Try

End Sub

我尝试在数据库中做最后一个人,但它返回第二个人的名字,那么它有什么问题?任何帮助将不胜感激。

1 个答案:

答案 0 :(得分:0)

不是连续调用两个SQL语句,而是组合单个SQL语句的where子句中的条件,如下所示:

str = "SELECT * FROM Customers WHERE Customer_Phone_Number='" & Phone & _
      "' AND Customer_Address_Zip='" & Zip & "'"

如下所述,您应修复代码以确保其受到SQL攻击的保护。简而言之,只要您从用户输入的字段中插入字符串,就需要对其进行清理。实现此目的的最佳方法是使用参数化查询。请搜索“VB中的参数化查询”,你会发现很多例子。

相关问题
最新问题