这就是我如何在 vb.net 中的 MYSQL 上插入一个新人
Dim cmd2 As New MySqlCommand("INSERT INTO login (username, password) VALUES (username ,
password)", db_con)
或者有没有更好的方法来做到这一点。
问问题
246 次
3 回答
1
使用参数化查询来防止 SQL 注入,甚至更好地使用存储过程。
Imports System
Imports System.Collections.Generic
Imports System.Linq
Imports System.Text
Imports System.Data
Imports MySql.Data
Imports MySql.Data.MySqlClient
Module Module1
Sub Main()
Dim conn As New MySqlConnection()
conn.ConnectionString = "xyz"
Dim cmd As New MySqlCommand()
'Here we execute a command to insert data via stored procedure
Try
Console.WriteLine("Connecting to MySQL...")
conn.Open()
cmd.Connection = conn
cmd.CommandText = "add_emp"
cmd.CommandType = CommandType.StoredProcedure
cmd.Parameters.AddWithValue("@uname", "Jeremy")
cmd.Parameters("@uname").Direction = ParameterDirection.Input
cmd.Parameters.AddWithValue("@pword", "123abc")
cmd.Parameters("@pword").Direction = ParameterDirection.Input
cmd.Parameters.AddWithValue("@empno", MySqlDbType.Int32)
cmd.Parameters("@empno").Direction = ParameterDirection.Output
cmd.ExecuteNonQuery()
Console.WriteLine("Employee number: " & cmd.Parameters("@empno").Value)
Catch ex As MySql.Data.MySqlClient.MySqlException
Console.WriteLine(("Error " & ex.Number & " has occurred: ") + ex.Message)
End Try
conn.Close()
Console.WriteLine("Done.")
End Sub
End Module
Sub Main()
Dim conn As New MySqlConnection()
conn.ConnectionString = "server=localhost;user=root;database=world;port=3306;password=******;"
Dim cmd As New MySqlCommand()
'HERE WE EXECUTE A COMMAND TO CREATE THE TABLE AND STORED PROCEDURE
Try
Console.WriteLine("Connecting to MySQL...")
conn.Open()
cmd.Connection = conn
cmd.CommandText = "DROP PROCEDURE IF EXISTS add_emp"
cmd.ExecuteNonQuery()
cmd.CommandText = "DROP TABLE IF EXISTS emp"
cmd.ExecuteNonQuery()
cmd.CommandText = "CREATE TABLE emp (empno INT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, user_name VARCHAR(20), password VARCHAR(20))"
cmd.ExecuteNonQuery()
cmd.CommandText = "CREATE PROCEDURE add_emp(" & "IN uname VARCHAR(20), IN pword VARCHAR(20), OUT empno INT)" & "BEGIN INSERT INTO emp(user_name, password, birthdate) " & "VALUES(uname, pword); SET empno = LAST_INSERT_ID(); END"
cmd.ExecuteNonQuery()
Catch ex As MySqlException
Console.WriteLine(("Error " & ex.Number & " has occurred: ") + ex.Message)
End Try
conn.Close()
Console.WriteLine("Connection closed.")
End Sub
于 2013-04-10T23:45:53.970 回答
1
为了防止 SQL 注入,你必须使用参数化查询。我给你一个函数的引用,你必须让你的函数像这样
插入函数
Public Shared Function InsertFile(ByVal name As String, ByVal pwd As String) As Integer
Dim sql As String
sql = "insert into login (username,password) values (?uname, ?upass);"
Dim params1(2) As MySqlParameter
params1(1) = New MySqlParameter("?uname", name )
params1(2) = New MySqlParameter("?upass", pwd )
Return MySqlHelper.ExecuteNonQuery(sql, params1)
End Function
现在创建一个新的ExecuteNonQuery函数来执行您的查询
ExecuteNonQuery 函数
Public Shared Function ExecuteNonQuery(ByVal sql As String, ByVal params() As MySqlParameter) As Integer
Dim cnn As New MySqlConnection(connectionstring)
Dim cmd As New MySqlCommand(sql, cnn)
For i As Integer = 0 To params.Length - 1
cmd.Parameters.Add(params(i))
Next
cnn.Open()
Dim retval As Integer = cmd.ExecuteNonQuery()
cnn.Close()
Return retval
End Function
就是这样,希望你能理解。
于 2013-04-11T05:24:30.743 回答
0
插入登录名(用户名、密码)值(?,?)
于 2013-04-11T00:01:15.457 回答