Fatal编程技术网
  • sql/
  • 显示SQL到数据网格访问

显示SQL到数据网格访问

sql vb.net

显示SQL到数据网格访问,sql,vb.net,Sql,Vb.net,大家好,我是visual basic.net新手,我正在尝试将查询结果显示到数据网格视图中,我有下面的代码,但它给了我一个错误和提示。请填写下面的代码表,指导我如何将查询打印到数据网格中。谢谢 Imports System.Data.OleDb Public Class SearchForm Dim con As New OleDbConnection Private Sub ComboBox1_SelectedIndexChanged(sender As Object

大家好,我是visual basic.net新手,我正在尝试将查询结果显示到数据网格视图中,我有下面的代码,但它给了我一个错误和提示。请填写下面的代码表,指导我如何将查询打印到数据网格中。谢谢

Imports System.Data.OleDb

Public Class SearchForm
    Dim con As New OleDbConnection




    Private Sub ComboBox1_SelectedIndexChanged(sender As Object, e As EventArgs) Handles Statd.SelectedIndexChanged

    End Sub


    Private Sub SearchButton_Click(sender As Object, e As EventArgs) Handles SearchButton.Click

        con.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0; Data Source= c:\Databse\Company_db.accdb"
        con.Open()


        Dim sqlQuery As String
        Dim sqlCommand As New OleDbCommand
        Dim sqlAdapter As New OleDbDataAdapter
        Dim Table As New DataTable
        Dim empNum As String
        Dim empLname As String
        Dim empDept As String
        Dim empStat As String


        empNum = eNumText.Text
        empLname = empLnameText.Text
        empDept = Deptd.Text
        empStat = Statd.Text

        'sqlQuery = "SELECT * FROM tbl_empinfo WHERE LastName like '+ empLnameText.Text +' "
        sqlQuery = "SELECT * FROM tbl_empinfo WHERE LastName like '+ empLnameText.Text +"

        ' MsgBox("Employee Number " + empNum + empLname + empDept + empStat) 'test statement 


        With sqlCommand
            .CommandText = sqlQuery
            .Connection = con

            With sqlAdapter
                .SelectCommand = sqlCommand
                .Fill(Table)

            End With

            For i = 0 To Table.Rows.Count - 1
                With DataGridView1
                    .Rows.Add(Table.Rows(i)("EmpID"), Table.Rows(i)("FirstName"), Table.Rows(i)("LastName"), Table.Rows(i)("Department"), Table.Rows(i)("Position"), Table.Rows(i)("Status"), Table.Rows(i)("Years"))

                End With
            Next


        End With






        con.Close()
    End Sub
在形成select语句的字符串连接中有几个错误

sqlQuery = "SELECT * FROM tbl_empinfo WHERE LastName like '" + empLnameText.Text + "'"
但是,这不是使用用户输入查询数据库的正确方法。您需要使用参数化查询

sqlQuery = "SELECT * FROM tbl_empinfo WHERE LastName like ?"
With sqlCommand
    .CommandText = sqlQuery
    .Connection = con
    .Parameters.AddWithValue("@name", empLnameText.Text)
    With sqlAdapter
        .SelectCommand = sqlCommand
        .Fill(Table)
    End With
    With DataGridView1
        .DataSource = Table             
    End With
End With
然后,只需将DataGridView1.DataSource设置到表中,不需要任何循环来填充网格

使用字符串连接是一种不好的做法,因为您的代码很容易成为攻击目标(这是一个非常严重的漏洞),但是,如果您的enpLName.Text包含单引号,则使用的字符串连接将导致无效的sql语句。

那么,错误是什么??