我接手一个VB项目,并用我有限的VB技能我不能让下面的参数化查询返回的结果:为什么这个参数化的sql查询不返回结果?
Dim strSQLUser As String = "Select Name, CompanyID from Users where UserName = @UserName"
dbCommand = New SqlCommand(strSQLUser, dbConn)
dbCommand.Parameters.AddWithValue("@UserName", User)
dr = dbCommand.ExecuteReader
然而,这是不工作的原代码:
Dim strSQLUser As String = "Select Name, CompanyID from Users where UserName ='" & User & "'"
dbCommand = New SqlCommand(strSQLUser, dbConn)
dr = dbCommand.ExecuteReader
正如您所看到的,原始代码容易受到sql注入攻击,需要修复。
额外 - 这里是不读行:
While dr.Read
DbUser = dr.GetValue(0).ToString
DbCompany = dr.GetValue(1).ToString
End While
我想这个变量User是一个字符串吧? – Steve