Dim cmdSelect As New SqlCommand("SELECT DISTINCT [seat_remain] FROM [a1_ticket] WHERE serv_code =" & lab5.Text & "ORDER BY [Ticket_no] DESC", SQLData)
答案 0 :(得分:8)
您正在使用字符串连接来构建SQL查询,而不是参数化查询或存储过程。这就是它的错误。以下是改进方法:
Dim cmdSelect As New System.Data.SqlClient.SqlCommand("SELECT DISTINCT [seat_remain] FROM [a1_ticket] WHERE serv_code = @serv_code ORDER BY [Ticket_no] DESC", SQLData)
cmdSelect.Parameters.AddWithValue("@serv_code", lab5.Text)
现在您的查询将起作用,而不仅仅是这样,但它对SQL注入是安全的。
答案 1 :(得分:3)
缺少引语:
Dim cmdSelect As New System.Data.SqlClient.SqlCommand("SELECT DISTINCT [seat_remain] FROM [a1_ticket] WHERE serv_code ='" & lab5.Text & "' ORDER BY [Ticket_no] DESC", SQLData)