Datareader不起作用

时间:2016-06-29 11:57:47

标签: vb.net windows visual-studio access

这是我的代码并且不断出现错误

Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
    Dim connection As New OleDbConnection("Provider = Microsoft.ACE.OLEDB.12.0;Data Source=|DataDirectory|\Database1.accdb")
    Dim dataread As OleDbDataReader
    Dim f2 As New Form2
    Dim com As OleDbCommand
    connection.Open()
    com = New OleDbCommand("SELECT * FROM User WHERE usr_name='" & TextBox2.Text & "' AND password='" & TextBox1.Text & "'", connection)

    dataread = com.ExecuteReader()

    If dataread.HasRows = True Then
        Me.Hide()
        f2.Show()
    End If
    dataread.Close()
    dataread.Close()
    connection.Close()
End Sub

1 个答案:

答案 0 :(得分:3)

要修复的第一件事是User表名和Password列名。用户和密码均为reserved words in Access Jet-SQL,您需要使用方括号。然后在构建查询时出现字符串连接问题。这导致解析错误和Sql注入(尽管在MS-Access中实现起来不太容易)。无论如何总是使用参数化查询,准确指定传递的参数的数据类型是什么,而不会在数据库端“猜测那是什么”。

Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
    Using connection = New OleDbConnection("Provider = Microsoft.ACE.OLEDB.12.0;Data Source=|DataDirectory|\Database1.accdb")
    Using com = New OleDbCommand("SELECT * FROM [User] " & _
                                 "WHERE usr_name=@name " & _
                                 "AND [password]=@pwd", connection)]
        connection.Open()
        com.Parameters.Add("@name", OleDbType.VarWChar).Value = TextBox1.Text
        com.Parameters.Add("@pwd", OleDbType.VarWChar).Value = TextBox2.Text
        Using dataread = com.ExecuteReader()
           If dataread.HasRows = True Then
                Dim f2 As New Form2
                Me.Hide()
                f2.Show()
           End If
        End Using
    End Using
    End Using
End Sub

最后考虑从安全角度来看,将密码以明文形式存储在数据库表中是一种非常糟糕的做法。此外,MS-Access等基于文件的数据库。只需查看您的表格即可显示您的用户密码。该网站回答了很多关于storing passwords on databases的问题。