Question

这是我的桌子。

尝试制作“忘记密码表单。”

一遍又一遍地得到同样的错误。需要你的帮助。

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1

这是我的代码。

    Private Sub Button1_Click(sender As System.Object, e As System.EventArgs) Handles Button1.Click
    Dim con As New MySqlConnection("host=localhost; username=root; database= login")
    Dim cmd As New MySqlCommand
    Dim dr As MySqlDataReader

    con.Open()
    cmd.Connection = con
    cmd.CommandText = "select 'from users where userID= ' " & userTxt.Text & " ' and secretQ = ' " & qTxt.Text & " 'and answer= ' " & ansTxt.Text & "' "
    dr = cmd.ExecuteReader


    If Not dr Is Nothing Then
        dr.Read()
        pwTxt.Text = dr(2)
        dr.Close()
    Else
        MsgBox("Invalid Username or Password.")

    End If

End Sub

Answer 1

你的sql查询中有引号，删除它

select 'from users
       ^

您还应该使用参数化查询。它不仅可以防止SQL注入，还可以转义值中的字符，例如引号。

示例：

cmd.CommandText = "select from users 
                   where userID= @userID 
                         and secretQ = @secretQ 
                         and answer= @answer"

cmd.Parameters.AddWithValue("@userID ", userTxt.Text)
cmd.Parameters.AddWithValue("@secretQ", qTxt.Text)
cmd.Parameters.AddWithValue("@answer", ansTxt.Text)

dr = cmd.ExecuteReader

明确：

cmd.Parameters.Add("@userID", MySqlDbType.VarChar).Value = userTxt.Text
cmd.Parameters.Add("@secretQ", MySqlDbType.VarChar).Value = qTxt.Text
cmd.Parameters.Add("@answer", MySqlDbType.VarChar).Value = ansTxt.Text

您的SQL语法中有错误...'''附近

1 个答案: