我今天一直在这里工作无济于事。我使用下面的代码在用户输入的文本框中搜索数据库(如用户键入的内容)并将结果呈现在ListView控件中。它按原样工作,但我知道它不安全,因为它没有参数化。我知道如何将参数添加到MySQLCommand对象,但无法弄清楚如何将其添加到查询中。任何帮助将不胜感激,谢谢。
这里是我的代码:
Private Sub TextBoxSearch_TextChanged(sender As Object, e As System.EventArgs) Handles TextBoxSearch.TextChanged
Dim dbConn As New MySqlConnection(String.Format("Server={0};Port={1};Uid={2};Password={3};Database=accounting", FormLogin.ComboBoxServerIP.SelectedItem, My.Settings.DB_Port, My.Settings.DB_UserID, My.Settings.DB_Password))
Dim dbQuery As String = ""
Dim dbCmd As New MySqlCommand
Dim dbReader As MySqlDataReader
Dim a, b, c, d, f, g
Try
dbQuery = "SELECT * FROM cc_master INNER JOIN customer ON customer.accountNumber = cc_master.customer_accountNumber " & _
"WHERE nameCOMPANY OR accountNumber LIKE '%" & TextBoxSearch.Text & "%' " & _
"ORDER BY nameCOMPANY ASC"
dbConn.Open()
dbCmd = New MySqlCommand(dbQuery, dbConn)
dbReader = dbCmd.ExecuteReader()
ListViewRecords.Items.Clear()
Do While dbReader.Read()
a = (dbReader.Item("ccID").ToString())
b = (dbReader.Item("accountNumber").ToString())
c = (dbReader.Item("nameCOMPANY").ToString())
d = DecryptCard(dbReader.Item("ccNumber").ToString())
f = (dbReader.Item("ccExpireMonth").ToString())
g = (dbReader.Item("ccExpireYear").ToString())
Dim item As ListViewItem = ListViewRecords.Items.Add(a)
item.SubItems.Add(b)
item.SubItems.Add(c)
item.SubItems.Add(d)
item.SubItems.Add(f)
item.SubItems.Add(g)
Loop
dbReader.Close()
Catch ex As Exception
MessageBox.Show("A DATABASE ERROR HAS OCCURED" & vbCrLf & vbCrLf & ex.Message & vbCrLf & _
vbCrLf + "Please report this to the IT/Systems Helpdesk at Ext 131.")
End Try
dbConn.Close()
dbCmd.Dispose()
End Sub
由于Tomcat的,可惜事与愿违为我工作。虽然没有引发异常,但是当我按照您的建议修改查询时,将跳过DO WHILE语句。我试着这样做反而并得到了相同的结果:LIKE CONCAT( '%',@search_string, '%')与参数定义为:dbCmd.Parameters.AddWithValue( “@ SEARCH_STRING”,TextBoxSearch.Text)。还有其他建议吗? – 2013-02-24 14:24:20
请接受我的道歉。我在变量声明中犯了一个错误。我做了Dim参数AS String =而不是你提供的。现在一切都很好,它的工作原理,谢谢。 – 2013-02-25 01:52:16