1

如果它在“搜索按钮”中,则下面的代码“”正在工作,但我想在“加载表单”中使用它,当我运行它时,它应该自动将数据显示到 datagridview 中,这会在上面提到错误。任何建议将不胜感激。 

 Private Sub Search_Record()
    Dim conn As New OleDbConnection
    Dim cmd As New OleDbCommand
    Dim da As New OleDbDataAdapter
    Dim dt As New DataTable
    Dim sSQL As String = String.Empty
    Try
        conn = New OleDbConnection(Get_Constring)
        conn.Open()
        cmd.Connection = conn
        cmd.CommandType = CommandType.Text
        sSQL = "SELECT Username, lname + ', ' + fname + ' ' + mname as name, password FROM Instructor"
        If Me.cboSearchBy.Text = "Name" Then
            sSQL = sSQL & " where lname + ', ' + fname + ' ' + mname like '%" & Me.txtSearch.Text & "%'"
            sSQL = sSQL & " and  level like '%instructor%'"
        Else
            sSQL = sSQL & " where Username =" & Me.txtSearch.Text
            sSQL = sSQL & " and  level like '%instructor%'"
        End If
        cmd.CommandText = sSQL
        da.SelectCommand = cmd
        da.Fill(dt)
        Me.dtgResult.DataSource = dt
        If dt.Rows.Count = 0 Then
            MsgBox("No record found!")
        End If
    Catch ex As Exception
        MsgBox(ErrorToString)
    Finally
        conn.Close()
    End Try
End Sub
4

1 回答 1

4

When the form starts and there is no text in the txtSearch textbox your query becomes syntactically wrong. If you had used a parameterized query you would have avoided this error.
(Not to mention the famigerate Sql Injection problem) 

Using conn = New OleDbConnection(Get_Constring)
Using cmd = new OleDbComman()
    conn.Open()
    cmd.Connection = conn
    sSQL = "SELECT Username, lname + ', ' + fname + ' ' + mname as name, password FROM Instructor"
    If Me.cboSearchBy.Text = "Name" Then
       sSQL = sSQL & " where lname + ', ' + fname + ' ' + mname like ? and  level like ?"
    Else
       sSQL = sSQL & " where Username = ? and  level like ?"
    End If
    cmd.CommandText = sSQL
    cmd.Parameters.AddWithValue("@1", "%" & txtSearch.Text & "%")
    cmd.Parameters.AddWithValue("@2", "%instructor%")
    Using da = new OleDbDataAdapter(cmd)
       da.Fill(dt)
       Me.dtgResult.DataSource = dt
       If dt.Rows.Count = 0 Then
           MsgBox("No record found!")
       End If
    End Using
End Using

Also, if you are using an MS-Access database keep in mind that PASSWORD is a reserved keyword and you need to encapsulate it between square brackets when used in query like the one above.

SELECT ......., [Password] ........
于 2013-10-04T13:53:42.027 回答