0

这段代码有什么问题:

 Dim con As ADODB.Connection
 Dim rec As ADODB.Recordset
 Set con = New ADODB.Connection
 Set rec = New ADODB.Recordset
 Dim count As Integer
 con.Open "Provider=MSDAORA.1;Password=****;User ID=system;Persist Security   Info=False"
 con.CursorLocation = adUseClient
 rec.Open "select count(*) as c from login_hisab where username = " & Text1.Text & " and password = " & Text2.Text & "", con, adOpenDynamic, adLockOptimistic
 count = rec.Fields("c")
 If count = 0 Then
   MsgBox "Invalid USERNAME or PASSWORD"
 End If
4

2 回答 2

2

您可能必须将 sql 值放在单引号内:

where username = '" & Text1.Text & "' and password = '" & Text2.Text & "'"
于 2013-08-22T18:40:15.457 回答
0

尝试使用这样的参数化查询(航空代码)。意味着您不必担心包含'or的密码",您不必担心 SQL 注入等。

dim cmd As ADODB.Command
Set cmd = New ADODB.Command
cmd.CommandType = adCmdText
cmd.CommandTimeout = 30
cmd.CommandText = "select count(*) as c from login_hisab where username = ? and password = ?"
cmd.Parameters.Append cmd.CreateParameter("userid", adVarChar, _
  adParamInput, Len(Text1.Text), Text1.Text)
cmd.Parameters.Append cmd.CreateParameter("pwd", adVarChar, _
  adParamInput, Len(Text2.Text), Text2.Text)
cmd.ActiveConnection = con
Set rec = cmd.Execute()

count = rec.Fields("c")
 If count = 0 Then
   MsgBox "Invalid USERNAME or PASSWORD"
 End If
于 2013-08-23T11:50:16.043 回答