Visual studio 2010 使用VB 2013的SQL插入查询
私有子按钮创建\单击发件人作为对象,e作为事件args处理按钮创建。单击 尝试 如果TextUsername.Text=则 MsgBoxIsi terlebih dahulu ID用户 其他的 科内基 CMD=New SqlCommandSELECT username FROM tbl_pengguna,其中username='+TextUsername.Text+',CONN 恐惧=CMD.ExecuteReader 恐惧,阅读 如果不是恐惧,那就是恐惧 科内基 CMD=New-SqlCommandINSERT-to-tbl_penggunausername,password,level_用户值?,?,?,CONNVisual studio 2010 使用VB 2013的SQL插入查询,visual-studio-2010,Visual Studio 2010,私有子按钮创建\单击发件人作为对象,e作为事件args处理按钮创建。单击 尝试 如果TextUsername.Text=则 MsgBoxIsi terlebih dahulu ID用户 其他的 科内基 CMD=New SqlCommandSELECT username FROM tbl_pengguna,其中username='+TextUsername.Text+',CONN 恐惧=CMD.ExecuteReader 恐惧,阅读 如果不是恐惧,那就是恐惧 科内基 CMD=New-SqlComm
With CMD
.Parameters.AddWithValue("?", TextUsername.Text)
.Parameters.AddWithValue("?", TextPassword.Text)
.Parameters.AddWithValue("?", ComboBoxLvU.Text)
.ExecuteNonQuery()
End With
CONN.Close()
Else
Koneksi()
CMD = New SqlCommand("UPDATE tbl_pengguna SET password=?, hak_akses=? WHERE username=?", CONN)
With CMD
.Parameters.AddWithValue("?", TextPassword.Text)
.Parameters.AddWithValue("?", ComboBoxLvU.Text)
.Parameters.AddWithValue("?", TextUsername.Text)
.ExecuteNonQuery()
End With
CONN.Close()
End If
CONN.Close()
call_all()
End If
Catch ex As Exception
MsgBox(ex.Message)
End Try
End Sub`enter code here`
啊,sql注入,它烧了我们!
****i'm fix the error****TY Google
Private Sub ButtonCreate_Click(sender As Object, e As EventArgs) Handles ButtonCreate.Click
Try
If TextUsername.Text = "" Then
MsgBox("Isi terlebih dahulu ID user")
Else
Koneksi()
CMD = New SqlCommand("SELECT username FROM tbl_pengguna WHERE username = '" + TextUsername.Text + "'", CONN)
DRead = CMD.ExecuteReader
DRead.Read()
If Not DRead.HasRows Then
Koneksi()
CMD = New SqlCommand("INSERT INTO tbl_pengguna(username,password,hak_akses) VALUES (@username,@password,@hak_akses)", CONN)
With CMD
.Parameters.AddWithValue("@username", TextUsername.Text)
.Parameters.AddWithValue("@password", TextPassword.Text)
.Parameters.AddWithValue("@hak_akses", ComboBoxLvU.Text)
.ExecuteNonQuery()
End With
CONN.Close()
Else
Koneksi()
CMD = New SqlCommand("UPDATE tbl_pengguna SET password=@password, hak_akses=@hak_akses WHERE username=@username", CONN)
With CMD
.Parameters.AddWithValue("@password", TextPassword.Text)
.Parameters.AddWithValue("@hak_akses", ComboBoxLvU.Text)
.Parameters.AddWithValue("@username", TextUsername.Text)
.ExecuteNonQuery()
End With
CONN.Close()
End If
CONN.Close()
call_all()
End If
Catch ex As Exception
MsgBox(ex.Message)
End Try
End Sub`enter code here`
Private Sub ButtonCreate_Click(sender As Object, e As EventArgs) Handles ButtonCreate.Click
If TextUsername.Text = "" Then
MsgBox("Isi terlebih dahulu ID user")
Exit Sub
End If
Try
'Because of connection pooling you should create a **BRAND NEW CONNECTION OBJECT**
Using conn As New SqlConnection("connection string here"),
cmd = New SqlCommand("SELECT username FROM tbl_pengguna WHERE username = @Username", conn)
cmd.Parameters.Add("@Username", SqlDbType.NVarChar, 20).Value = TextUsername.Text
conn.Open()
Using rdr As SqlDataReader = cmd.ExecuteReader()
cmd.Paramters.Clear()
'Use actual database column values in this section.
'Also: plain-text passwords? Is this amateur hour?
If rdr.Read()
cmd.CommandText = "UPDATE tbl_pengguna SET password=@password, hak_akses=@hakakses WHERE username=@username"
cmd.Parameters.Add("@Username", SqlDbType.NVarChar, 20).Value = TextUsername.Text
cmd.Parameters.Add("@password", SqlDbType.NVarChar, 64).Value = TextPassword.Text
cmd.Parameters.Add("@hakakses", SqlDbType.NVarChar, 10).Value = ComboBoxLvU.Text
Else
cmd.CommandText = "INSERT INTO tbl_pengguna(username,password,level_user) VALUES (@Username, @password, @UserLevel)"
cmd.Parameters.Add("@Username", SqlDbType.NVarChar, 20).Value = TextUsername.Text
cmd.Parameters.Add("@password", SqlDbType.NVarChar, 64).Value = TextPassword.Text
cmd.Parameters.Add("@UserLevel", SqlDbType.NVarChar, 10).Value = ComboBoxLvU.Text
End If
End Using
cmd.ExecuteNonQuery()
End Using
call_all()
Catch ex As Exception
MsgBox(ex.Message)
End Try
End Sub