将数据插入到SQL Visual Studio中

Question

我一直在尝试在Visual Studio中创建注册表单，但它似乎不起作用。这个想法是，当您按下Button1时，Textbox1和Textbox2中的值将存储在数据库中。

Public Class SignUp 
Dim mysqlConn As Data.SqlClient.SqlConnection 
Dim command As Data.SqlClient.SqlCommand 
Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click 
    mysqlConn = New Data.SqlClient.SqlConnection 
    mysqlConn.ConnectionString = ("Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=|DataDirectory|\NewFolder1\Members.mdf;Integrated Security=True") 
    Dim reader As Data.SqlClient.SqlDataReader 
    Try 
     mysqlConn.Open() 
     Dim query As String 
     query = "Insert into [User] ('username', 'password') VALUES (" & TextBox1.Text & " AND " & TextBox2.Text & ")" 'virker ikke 
     command = New SqlClient.SqlCommand(query, mysqlConn) 
     reader = command.ExecuteReader 
     mysqlConn.Close() 

     MessageBox.Show("Data Saved") 
    Catch ex As Exception 
     MessageBox.Show(ex.Message) 
    Finally 
     mysqlConn.Dispose() 

    End Try 

它给了我一个错误，说列错了。

Answer 1

这应该让你的代码工作。这不是良好的编程习惯可言，但它是你所要求的：

Public Class Form1 
    Dim mysqlConn As Data.SqlClient.SqlConnection 
    Dim command As Data.SqlClient.SqlCommand 


    Private Sub Button1_Click(ByVal sender As Object, ByVal e As EventArgs) Handles Button1.Click 
     mysqlConn = New Data.SqlClient.SqlConnection 
     mysqlConn.ConnectionString = ("Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=|DataDirectory|\NewFolder1\Members.mdf;Integrated Security=True") 
     Dim RowsAffected As Integer 
     Try 
      mysqlConn.Open() 
      Dim query As String = "INSERT INTO [User] (username, password) VALUES (@Username, @Password)" 
      command = New SqlClient.SqlCommand(query, mysqlConn) 
         Dim paramUsername As New SqlClient.SqlParameter() With {.ParameterName = "@Username", .Value = TextBox1.Text, .Size = 50, .SqlDbType = SqlDbType.VarChar} 
         Dim paramPassword As New SqlClient.SqlParameter() With {.ParameterName = "@Password", .Value = TextBox2.Text, .Size = 50, .SqlDbType = SqlDbType.VarChar} 

      command.Parameters.Add(paramUsername) 
      command.Parameters.Add(paramPassword) 
      RowsAffected = command.ExecuteNonQuery 
      mysqlConn.Close() 
      If RowsAffected > 0 Then MessageBox.Show("Data Saved") 
     Catch ex As Exception 
      MessageBox.Show(ex.Message) 
     Finally 
      mysqlConn.Dispose() 
     End Try 
    End Sub 
End Class 

这个版本使用SQL参数，这应该防止SQL注入和类似O'Brian值。

正如其他人所说（我们昨天也告诉过你），以纯文本存储密码确实是一个坏主意。我知道，你并没有要求这样的建议，但是如果你使用这个代码来进行面向公众的任务，你需要对你的密码进行哈希处理并存储散列字符串。

-E

Answer 2

您的代码应该是这个样子：

Option Infer On 
Option Strict On 

Imports System.Data.SqlClient 

Public Class Signup 

    Private Sub bnSignup_Click(sender As Object, e As EventArgs) Handles bnSignup.Click 
     Dim connStr = "Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=|DataDirectory|\NewFolder1\Members.mdf;Integrated Security=True" 
     Dim query = "INSERT INTO [User] ([username], [password]) VALUES (@username, @password)" 

     'TODO: Hash the password to save it in the database. 

     Try 
      Using sqlConn As New SqlConnection(connStr) 
       Using command As New Sqlcommand(query, sqlConn) 
        command.Parameters.Add(New SqlParameter With {.ParameterName = "@username", .SqlDbType = SqlDbType.NVarChar, .Value = tbUsername.Text}) 
        command.Parameters.Add(New SqlParameter With {.ParameterName = "@password", .SqlDbType = SqlDbType.NVarChar, .Value = tbPassword.Text}) 

        sqlConn.Open() 
        command.ExecuteNonQuery() 
        sqlConn.Close() 

       End Using 
      End Using 

      MessageBox.Show("Data Saved") 

     Catch ex As Exception 
      MessageBox.Show(ex.Message) 
     End Try 

    End Sub 

    ' Other code... 

End Class 

的Using结构需要你非托管资源的处置照顾，即使发生异常。

使用SqlParameters有助于防止SQL注入攻击，并允许像撇号这样的字符传递给SQL Server而不会有任何问题。

这是一个好主意，让你的控件有意义的名字。

有关如何安全地存储密码的信息，我建议读一读Salted Password Hashing - Doing it Right。