-1

当按下“注册”按钮时,Visual Studio 2012 在 SQL 语句中给我一个错误

sqlValidate = "SELECT * FROM users  where username=" + txtUsername.Text.ToString

错误是:

列名“cdarwin”无效

其中 ' cdarwin' 是输入的用户名txtUsername

谁能告诉我怎么了?

这是子的完整代码:

Public Sub register()
    Dim Username As String = txtUsername.Text
    Dim Surname As String = txtSurname.Text
    Dim Password As String = txtPassword.Text
    Dim Name As String = txtName.Text
    Dim Address1 As String = txtAddress1.Text
    Dim Address2 As String = txtAddress2.Text
    Dim City As String = txtCity.Text
    Dim Email As String = txtEmail.Text
    Dim Country As String = drpCountry.Text
    Dim DOB As Date = calDOB.SelectedDate
    Dim Occupation As String = txtOccupation.Text
    Dim WorkLocation As String = txtWorkLocation.Text
    Dim Age As Integer = Date.Today.Year - calDOB.SelectedDate.Year
    Dim ProjectManager As String = "N/A"
    Dim TeamLeader As String = "N/A"
    Dim TeamLeaderID As Integer = "1"
    Dim ProjectManagerID As Integer = "1"
    Dim RegistrationDate As Date = DateTime.Today
    Dim ContractType As String = "N/A"
    Dim ContractDuration As Integer = 6
    Dim Department As String = "N/A"
    Dim conn As New SqlConnection("Data Source=BRIAN-PC\SQLEXPRESS;Initial Catalog=master_db;Integrated Security=True")
    Dim registerSQL As SqlCommand
    Dim sqlComm As String
    Dim validateSQL As SqlCommand
    Dim sqlValidate As String

    sqlValidate = "SELECT * FROM users  where username=" + txtUsername.Text.ToString

    sqlComm = "INSERT INTO users(Username, Password, Name, Surname, Address1, Address2, " +
        "City, Country, date_of_birth, age, Occupation, department, work_location, " +
        "project_manager,team_leader, team_leader_id, project_manager_id, " +
        "date_registration, contract_type, contract_duration) " +
        "VALUES(@p1, @p2,@p3,@p4,@p5,@p6,@p7,@p8,@p9,@p10,@p11,@p12,@p13,@p14,@p15," +
        "@p16,@p17,@p18,@p19,@p20)"

    conn.Open()

    validateSQL = New SqlCommand(sqlValidate, conn)

    Dim dr As SqlDataReader = validateSQL.ExecuteReader()

    If dr.HasRows = False Then
        dr.Close()

        registerSQL = New SqlCommand(sqlComm, conn)
        registerSQL.Parameters.AddWithValue("@p1", Username)
        registerSQL.Parameters.AddWithValue("@p2", Password)
        registerSQL.Parameters.AddWithValue("@p3", Name)
        registerSQL.Parameters.AddWithValue("@p4", Surname)
        registerSQL.Parameters.AddWithValue("@p5", Address1)
        registerSQL.Parameters.AddWithValue("@p6", Address2)
        registerSQL.Parameters.AddWithValue("@p7", City)
        registerSQL.Parameters.AddWithValue("@p8", Country)
        registerSQL.Parameters.AddWithValue("@p9", DOB)
        registerSQL.Parameters.AddWithValue("@p10", Age)
        registerSQL.Parameters.AddWithValue("@p11", Occupation)
        registerSQL.Parameters.AddWithValue("@p12", Department)
        registerSQL.Parameters.AddWithValue("@p13", WorkLocation)
        registerSQL.Parameters.AddWithValue("@p14", ProjectManager)
        registerSQL.Parameters.AddWithValue("@p15", TeamLeader)
        registerSQL.Parameters.AddWithValue("@p16", TeamLeaderID)
        registerSQL.Parameters.AddWithValue("@p17", ProjectManagerID)
        registerSQL.Parameters.AddWithValue("@p18", RegistrationDate)
        registerSQL.Parameters.AddWithValue("@p19", ContractType)
        registerSQL.Parameters.AddWithValue("@p20", ContractDuration)

        registerSQL.ExecuteNonQuery()

        conn.Close()

    ElseIf dr.HasRows = True Then

        lblUsername.Text = "That Username (" + txtUsername.Text + ") is already registered/taken."
        lblUsername.Visible = True
        conn.Close()

    End If
End Sub
4

2 回答 2

3

除了不使用参数化查询(易受 sql 注入攻击)之外,您需要在字符串周围加上引号:

sqlValidate = "SELECT * FROM users  where username='" + txtUsername.Text.ToString + "'"

如果没有引号,SQL Server 会尝试将“cdarwin”解释为列名。

这是使用参数化查询的模型:

sqlValidate = "SELECT * FROM users  where username=@user"
...
validateSQL.Parameters.AddWithValue("@user", txtUsername.Text)
于 2013-04-01T12:50:23.830 回答
2

使用类似的查询

sqlValidate = "SELECT * FROM users  where username='@UserName'"

使用参数化查询来发送您的数据。
您当前的代码容易受到 SQL 注入攻击。

validateSQL.Parameters.AddWithValue("@UserName", txtUsername.Text.ToString)
于 2013-04-01T12:51:37.133 回答