1

我有一些代码要从 mysql 数据库中读取,但我只是想知道如何修改它以查看表中是否存在用户?

谢谢

    Private Sub GetDBData()
    Try
        'prepare connection query 
        strQuery = "SELECT users.Username, users.Password " & _
        "FROM users " & _
        "WHERE Username='User'"
        SQLCmd = New MySqlCommand(strQuery, dbCon)
        'open db and start query
        dbCon.Open()
        DR = SQLCmd.ExecuteReader
        While DR.Read
            MysqlData.Text = MysqlData.Text & DR.Item("Username") & Space(10) & DR.Item("Password") & vbCrLf
        End While
        'done so closing db
        DR.Close()
        dbCon.Close()

    Catch ex As Exception
        MessageBox.Show(ex.Message)
    End Try
End Sub
4

6 回答 6

2

使用commandwithparameters来避免 SQL 注入。如果您只是通过进行一些比较来检查用户名是否存在,那么一种策略是创建一个返回布尔值的函数。以下是根据您的需要的示例代码。

Private Function IsUserExist(userName as string) AS Boolean

        Dim returnValue as boolean = false

        strQuery = "SELECT COUNT(*)"
        strQuery &= "FROM users "
        strQuery &= "WHERE Username = @xUserName "

        Using xConn as new MySQLCnnection("connectionStringHere")
            Using xComm as New MySQLCommand()
                With xComm
                    .Connection = xConn
                    .CommandText = strQuery
                    .CommandType = CommandType.Text
                    .Parameters.AddWithValue("@xUserName", userName)
                End With
                Try
                    xConn.Open()
                    If CInt(xComm.ExecuteScalar()) > 0 Then
                        returnValue = true
                    End If
                Catch ex as MySQlException
                    MsgBox(ex.Message)
                    returnValue = false
                Finally
                    xConn.Close
                End Try
            End Using
        End Using

        return returnValue
End Sub
于 2012-08-07T22:43:34.200 回答
2

修改它?这样做太不对劲了。没有 using 块、异常吞咽和潜在的 sql 注入攻击。

类似的东西(我不做VB,但基本想法是合理的)

Private Function UserExists(argUser As string) As Bool
  strQuery = "SELECT Username FROM users WHERE Username=?User"
  Using SQLcmd = New MySqlCommand(strQuery, dbCon)
    SQLCmd.Parameters.Add("?User",argUser)  
    dbCon.Open()
    Using reader = SQLCmd.ExecuteReader()
      return reader.Read()
    End Using
  End Using
End Function

如果是我,我也会实例化一个连接,而不是从你当前所在的任何地方(在 using 块中)获取它。

于 2012-08-07T22:43:50.077 回答
2

一种简单的方法是进行如下查询:

SELECT COUNT(*) FROM users WHERE Username='user123';

你运行它,取回它返回的值,如果它是 0 则用户不存在。如果为 1,则他存在,如果大于 1,则有问题(您有多个用户具有相同的用户名)。

于 2012-08-07T22:16:23.237 回答
2

我的 VB 很生锈,但这是它的要点;

Private Sub GetDBData()
Try
    'prepare connection query 
    strQuery = "SELECT users.Username, users.Password " & _
    "FROM users " & _
    "WHERE Username='User'"
    SQLCmd = New MySqlCommand(strQuery, dbCon)
    'open db and start query
    dbCon.Open()
    DR = SQLCmd.ExecuteReader

    If DR.HasRows Then

        While DR.Read
            MysqlData.Text = MysqlData.Text & DR.Item("Username") & Space(10) & DR.Item("Password") & vbCrLf
        End While
    Else
        'COMMENT: Your user didn't exist
    End If

    'done so closing db

    'COMMENT: move to a finally() section and check objects are not null before closing
    DR.Close()
    dbCon.Close()

Catch ex As Exception
    MessageBox.Show(ex.Message)
End Try

结束子

于 2012-08-07T22:27:29.027 回答
0 
Protected Sub btnlogin_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnlogin.Click
    Dim myAdapter As New MySqlDataAdapter
    Dim myCommand As New MySqlCommand
    Dim myData As MySqlDataReader
    Dim conn As MySqlConnection = New MySqlConnection("Data Source=localhost;Database=name;User ID=root;Password=pwd;")

    Dim loginstring As String = "SELECT uname,password,type FROM logindetails WHERE uname = '" + txtuname.Text + "' AND password = '" + txtpwd.Text + "' "
    Try
        conn.Open()
    Catch myerror As MySqlException 'If it fails do this... (i.e. no internet connection, etc.)
        MsgBox("Error connecting to database. Check your internet connection.", MsgBoxStyle.Critical)
    End Try

    myCommand.Connection = conn
    myCommand.CommandText = loginstring
    myAdapter.SelectCommand = myCommand
    myData = myCommand.ExecuteReader

    If myData.HasRows = 0 Then
        MsgBox("Invalid Credentials", MsgBoxStyle.Critical)
    Else
        Response.Redirect("Adminhome.aspx")
        MsgBox("Logged in as " & txtuname.Text & ".", MsgBoxStyle.Information)
    End If
    conn.Close()
End Sub
于 2012-12-21T23:21:13.040 回答
0

它很简单...

在进入 while 循环之前,声明一个整数并将其设置为零。在开始获取数据之前的 while 循环中,将该整数设置为 1。在 while 之外但在 catch 之前,放置一个 if 语句来通知您整数何时仍为零,这意味着数据库中没有数据。像这样的东西...

Private Sub GetDBData()
    Try
        'prepare connection query 
        strQuery = "SELECT users.Username, users.Password " & _
        "FROM users " & _
        "WHERE Username='User'"
        SQLCmd = New MySqlCommand(strQuery, dbCon)
    'open db and start query
    dbCon.Open()
        DR = SQLCmd.ExecuteReader
        Dim x As Integer = 0
        While DR.Read
        x = 1
        MysqlData.Text = MysqlData.Text & DR.Item("Username") & Space(10) & DR.Item("Password") & vbCrLf
    End While
    'done so closing db

    DR.Close()
    dbCon.Close()

   if x = 0
        Messagebox.Show("Record not found")
   End If
Catch ex As Exception
    MessageBox.Show(ex.Message)
End Try

结束子

于 2019-12-04T15:46:59.190 回答