0

我正在构建一个小型 VB 应用程序,它查询 MSSQL 数据库,然后在列表框中显示这些结果。有一个 TextBox (TextBox1),用户将在其中输入一个 CharName,该 CharName 将用于选择数据库中的 CharName,以仅返回该用户的结果。我目前将 sql 查询编码到 Button1 中。

所以我需要帮助的是从 TextBox1 获取输入并将 sql 查询中的 Chars.CharName 替换为用户提供的输入,以便在单击按钮时执行查询并使用结果填充 ListBox1。

顺便说一句,我是 VB 的菜鸟(显然)。

到目前为止我的代码是:

Public Class Form1

    Private Sub Form1_Load(sender As System.Object, e As System.EventArgs) Handles MyBase.Load

    End Sub

    Private Sub TextBox1_Text(sender As System.Object, e As System.EventArgs) Handles TextBox1.TextChanged

    End Sub

    Private Sub Button1_Click(sender As System.Object, e As System.EventArgs) Handles Button1.Click
        Dim sqlquery As String
        sqlquery = ("SELECT Chars.CharName, CharItems.Type, CharItems.TypeID,  CharItems.ItemName, CharItems.Bag, CharItems.Slot, CharItems.ItemUID, CharItems.Craftname, CharItems.Gem1, CharItems.Gem2, CharItems.Gem3, CharItems.Gem4, CharItems.Gem5, CharItems.Gem6 FROM Chars INNER JOIN CharItems ON Chars.CharID = CharItems.CharID WHERE ([CharName] = '" + TextBox1.Text + "'")

    End Sub

    Private Sub ListBox1_SelectedIndexChanged(sender As System.Object, e As System.EventArgs) Handles ListBox1.SelectedIndexChanged

    End Sub
End Class
4

3 回答 3

1

您需要进行连接并从数据库中获取结果并将它们存储在 a 中Datatable,然后您可以将您的绑定DatatableListBox

于 2013-01-17T21:02:26.823 回答
0

不是 VB 的人,所以这不是我的想法。不过注意评论

'put these at the top of your code file:
imports System.Data.SqlClient
imports System.Data

'and this in the Button1_Click:
dim sql as string
dim cname as string
cname=TextBox1.Text


'never just directly accept the input from a textbox, etc, into an SQL query. Always use a parameter so prevent SQL Injection attacks.
  sqlquery="SELECT Chars.CharName, CharItems.Type, CharItems.TypeID,CharItems.ItemName,CharItems.Bag, CharItems.Slot, CharItems.ItemUID, CharItems.Craftname, CharItems.Gem1, CharItems.Gem2, CharItems.Gem3, CharItems.Gem4, CharItems.Gem5, CharItems.Gem6 FROM Chars INNER JOIN CharItems ON Chars.CharID = CharItems.CharID WHERE Chars.CharName = @CharName" 


using connection as SqlConnection = new SqlConnection(ConnectionString) 'substitute ConnectionString for the connection string to your database, where you get this from is beyond the scope of this code but it should be somewhere secure i.e app.config ConnectionStrings section
connection.Open()
using comm as SqlCommand = new SqlCommand(query,conn)
dim p as SqlParameter = new SqlParameter("CharName",cname)
comm.Parameters.Add(p)
dim rs as SqlDataReader = comm.ExecuteReader
dim dt as DataTable = new DataTable
dt.Fill(rs)
end using 'comm
end using 'conn

ListBox1.DisplayMember="CharName"
ListBox1.DataSource=dt
ListBox1.DataBind()
于 2013-01-17T21:16:06.870 回答
0

设置值时,字符串文字不需要括号,sqlquery并且那里也有错字。

它应该只是

Dim sqlquery As String
sqlquery = "SELECT Chars.CharName, CharItems.Type, CharItems.TypeID, CharItems.ItemName, CharItems.Bag, CharItems.Slot, CharItems.ItemUID, CharItems.Craftname, CharItems.Gem1, CharItems.Gem2, CharItems.Gem3, CharItems.Gem4, CharItems.Gem5, CharItems.Gem6 FROM Chars INNER JOIN CharItems ON Chars.CharID = CharItems.CharID WHERE [CharName] = '" + TextBox1.Text + "'"

我不想在这里讨论使用这种方法进行 SQL 注入的整个问题,但是您确实应该阅读有关执行存储过程而不是原始 SQL 的内容,以便您可以参数化您的输入。

于 2013-01-17T21:04:45.627 回答