我试图用sql引用数据库将它与文本框进行比较,我不知道为什么我的代码不起作用,它可能是我的IF语句?可能是我也没有正确编写SQL语句。
Protected Sub btnValidate_Click(sender As Object, e As EventArgs) Handles btnValidate.Click
Dim strSQL As String = "SELECT * FROM loginInfo"
If "SELECT UserName, PassCode From loginInfo Where [UserName] [PassCode]" Then
Response.Redirect("gridView.aspx")
End If
End Sub
答案 0 :(得分:2)
这里有一些问题:
在旁注中,使用参数化查询来避免SQL注入。
您可以做的是 - 在btnValidate_Click方法中,获取您输入的用户名和密码,将其传递给查询,如果您找到的用户名和密码与用户输入的文字相匹配,请将其视为成功登录并重定向到所需页面。代码将是这样的:
Protected Sub Page_Load(sender As Object, e As EventArgs) Handles Me.Load
End Sub
Protected Sub btnValidate_Click(sender As Object, e As EventArgs) Handles btnValidate.Click
Dim recordMatch as int
Using con As New OleDbConnection( _
"Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" + Server.MapPath("DynamicDataBase.mdb")),
con.Open()
Dim strSQL As String = "SELECT COUNT(1) FROM loginInfo WHERE [UserName] = @username AND [PassCode] = @passcode"
Dim cmd As New OleDbCommand(strSQL, con)
cmd.Parameters.Add("@username", SqlDbType.VarChar, 50).Value = yourusernametextbox.Text
cmd.Parameters.Add("@passcode", SqlDbType.VarChar, 50).Value = yourpasscodetextbox.Text
recordMatch = Convert.ToInt32(cmd.ExecuteScalar())
End Using
If recordMatch = 1 Then
Response.Redirect("gridView.aspx")
End If
End Sub