我正在尝试根据Windows登录名从一个表中查找employeeid,并使用此employeeid从另一个表中获取值以添加它们。因此,对于Bill来说,员工在tblEmployees中是1。我总结了tblTimeAvailable中所有的noofhours,其中employeeid等于1并在我的网页上显示。它不起作用。我无法弄清楚如何通过第一个表中找到的employeeid搜索第二个表。 (因为sql注入,我正在重写代码。)
Dim windowsLoginName As System.String = HttpContext.Current.User.Identity.Name 'System.Security.Principal.WindowsIdentity.GetCurrent().Name
Dim split As String() = Nothing
Dim vname As String
'Get network login name (name only)
split = windowsLoginName.Split("\".ToCharArray)
vname = split(1)
Dim Connection As String = "Data Source=WillSQL\ict2;Initial Catalog=TimeSQL;Integrated Security=SSPI"
Using con As New SqlConnection(Connection)
Dim sqlemp As String = "SELECT EmployeeID FROM tblEmployees where login = @loginname"
Dim command As New SqlCommand(sqlemp, con)
con.Open()
rve = cmde.Parameters.Add(New SqlParameter With {.ParameterName = "@loginname", .SqlDbType = SqlDbType.NVarChar, .Value = vname})
End Using
当我看到rve的价值时,它给了我@loginname而不是employeeid。仅供参考 - tblEmployees中始终只有一行,因为每个Windows登录名都是唯一的。
'Get Sick Time
Using con As New SqlConnection(Connection)
Dim sqls1 As String = "Select SUM(NoofHours) as Total from tblTimeAvailable where workcode = 1 and EmployeeID = @employeeid"
Dim command As New SqlCommand(sqls1, con)
con.Open()
rvsa = cmde.Parameters.Add(New SqlParameter With {.ParameterName = "@employeeid", .SqlDbType = SqlDbType.NVarChar, .Value = rve})
End Using
' If the sum equals 0, show 0 on webpage. If another value, show value.
If IsDBNull(rvsa) Then
rvsa = 0
TextBoxsa.Text = 0
Else
TextBoxsa.Text = rvsa.ToString
End If
我感谢你能给我的任何帮助!
答案 0 :(得分:0)
您永远不会执行命令。设置各种参数的值后,您需要调用SqlCommand对象上的一个执行方法。在这种情况下,由于您只是从单行读取单个值,因此您只需使用ExecuteScalar方法:
rve = command.ExecuteScalar()