目前我正在尝试理解和学习 vb.net 的新代码命令。 我在研究哪个代码时遇到了三个代码
"SELECT staff_id,pass_word FROM userlogin WHERE staff_id = @staff_id AND pass_word = @pass_word")
第二个代码:
Dim uName As New OleDbParameter("@staff_id", SqlDbType.VarChar)
第三个也是最后一个:
uName.Value = txtstaffid.Text
myCommand.Parameters.Add(uName)
当您已经键入了pass_word列、Oledbparameter 和 Parameters.Add 时,@pass_word代码有什么用?
下面的代码显示了代码正在执行的操作的更完整的图片。使用..."结束使用"块可确保即使存在错误,也可以关闭和处置对象。当然,在实际应用程序中,密码永远不会存储为纯文本(太容易破解(。它们会被腌制和散列,但那是另一天。
Private Sub CheckPassword()
'This line assigns a Transact SQL command to a string variable.
'It will return a record with 2 columns. The @staff_id and @pass_word are parameter placeholders.
'The use of parameters limits the possibilit of SQL injection with malicious input be the user
'typing in the text box.
Dim strSQL = "SELECT staff_id,pass_word FROM userlogin WHERE staff_id = @staff_id AND pass_word = @pass_word;"
Using cn As New SqlConnection("Your connection string")
'Pass the command string and the connection to the constructor of the command.
Using cmd As New SqlCommand(strSQL, cn)
'It is unneccessary to create a command variable.
'The .Add method of the commands Parameters collection will create a parameter.
cmd.Parameters.Add("@staff_id", SqlDbType.VarChar).Value = txtstaffid.Text
cmd.Parameters.Add("@pass_word", SqlDbType.VarChar).Value = txtPassword.Text
cn.Open()
Using dr As SqlDataReader = cmd.ExecuteReader
'All we really need to know is whether we returned a row.
If dr.HasRows Then
MessageBox.Show("Login Successful")
Else
MessageBox.Show("Login Failed")
End If
End Using
End Using
End Using
End Sub