显示SQL到数据网格访问
大家好,我是visual basic.net新手,我正在尝试将查询结果显示到数据网格视图中,我有下面的代码,但它给了我一个错误和提示。请填写下面的代码表,指导我如何将查询打印到数据网格中。谢谢显示SQL到数据网格访问,sql,vb.net,Sql,Vb.net,大家好,我是visual basic.net新手,我正在尝试将查询结果显示到数据网格视图中,我有下面的代码,但它给了我一个错误和提示。请填写下面的代码表,指导我如何将查询打印到数据网格中。谢谢 Imports System.Data.OleDb Public Class SearchForm Dim con As New OleDbConnection Private Sub ComboBox1_SelectedIndexChanged(sender As Object
Imports System.Data.OleDb
Public Class SearchForm
Dim con As New OleDbConnection
Private Sub ComboBox1_SelectedIndexChanged(sender As Object, e As EventArgs) Handles Statd.SelectedIndexChanged
End Sub
Private Sub SearchButton_Click(sender As Object, e As EventArgs) Handles SearchButton.Click
con.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0; Data Source= c:\Databse\Company_db.accdb"
con.Open()
Dim sqlQuery As String
Dim sqlCommand As New OleDbCommand
Dim sqlAdapter As New OleDbDataAdapter
Dim Table As New DataTable
Dim empNum As String
Dim empLname As String
Dim empDept As String
Dim empStat As String
empNum = eNumText.Text
empLname = empLnameText.Text
empDept = Deptd.Text
empStat = Statd.Text
'sqlQuery = "SELECT * FROM tbl_empinfo WHERE LastName like '+ empLnameText.Text +' "
sqlQuery = "SELECT * FROM tbl_empinfo WHERE LastName like '+ empLnameText.Text +"
' MsgBox("Employee Number " + empNum + empLname + empDept + empStat) 'test statement
With sqlCommand
.CommandText = sqlQuery
.Connection = con
With sqlAdapter
.SelectCommand = sqlCommand
.Fill(Table)
End With
For i = 0 To Table.Rows.Count - 1
With DataGridView1
.Rows.Add(Table.Rows(i)("EmpID"), Table.Rows(i)("FirstName"), Table.Rows(i)("LastName"), Table.Rows(i)("Department"), Table.Rows(i)("Position"), Table.Rows(i)("Status"), Table.Rows(i)("Years"))
End With
Next
End With
con.Close()
End Sub
在形成select语句的字符串连接中有几个错误
sqlQuery = "SELECT * FROM tbl_empinfo WHERE LastName like '" + empLnameText.Text + "'"
但是,这不是使用用户输入查询数据库的正确方法。您需要使用参数化查询
sqlQuery = "SELECT * FROM tbl_empinfo WHERE LastName like ?"
With sqlCommand
.CommandText = sqlQuery
.Connection = con
.Parameters.AddWithValue("@name", empLnameText.Text)
With sqlAdapter
.SelectCommand = sqlCommand
.Fill(Table)
End With
With DataGridView1
.DataSource = Table
End With
End With
然后,只需将DataGridView1.DataSource设置到表中,不需要任何循环来填充网格
使用字符串连接是一种不好的做法,因为您的代码很容易成为攻击目标(这是一个非常严重的漏洞),但是,如果您的enpLName.Text包含单引号,则使用的字符串连接将导致无效的sql语句。那么,错误是什么??