-1

所以我试图为数据库做一个搜索记录,但我得到了错误

您的 SQL 语法有错误;检查与您的 MySQL 服务器版本相对应的手册,以在第 1 行的 'WHERE ProductName LIKE 'Monitor' '%'" 附近使用正确的语法

Private Sub Btnsearch_Click(sender As Object, e As EventArgs) Handles btnsearch.Click
    Try
        ListView1.Items.Clear()
        strsql = "SELECT tbl_pcperipherals WHERE ProductName LIKE @field1 '%'"
        objcmd = New MySql.Data.MySqlClient.MySqlCommand(strsql, objconn)
        With objcmd
            .Parameters.AddWithValue("@field1", txtsearch.Text)
        End With
        objdr = objcmd.ExecuteReader
        While (objdr.Read)
            With ListView1.Items.Add(objdr("ProductID"))
                .SubItems.add(objdr("ProductName"))
                .subitems.add(objdr("ProductBrand"))
                .subitems.add(objdr("ProductCategory"))
                .subitems.add(objdr("ProductQuantity"))
                .subitems.add(objdr("ProductDescription"))
                .subitems.add(objdr("ProductManufacturer"))
                .subitems.add(objdr("Stock"))
                .subitems.add(objdr("Supplier"))
                .subitems.add(objdr("ContactNo"))
            End With
            objcmd.Dispose()
            objdr.Close()
        End While
    Catch ex As Exception
        MsgBox(ex.Message)
        Me.fillsview()
    End Try
End Sub
4

4 回答 4

0

我相信如果您使用这样的代码将解决您的问题:

Dim strsql = string.format("SELECT tbl_pcperipherals WHERE ProductName LIKE '%{0}%'",txtsearch.Text);
于 2021-11-17T13:23:11.500 回答
0

我不知道你为什么使用ListView. ADataGridView有一个DataSource属性,因此更容易编码。

Using在块中本地声明您的一次性数据库对象。您的 select 语句缺少字段列表和 From 子句。

您的代码在读取第一条记录后关闭阅读器,因为objdr.Close()它在While循环内。无论如何,在更新用户界面时保持连接打开是不好的。连接应在最后一刻打开并尽快关闭。ADataReader需要打开的连接。如果您Load可以DataTable关闭连接,然后填充 ListView。

Private Sub Btnsearch_Click(sender As Object, e As EventArgs) Handles btnsearch.Click
    Try
        ListView1.Items.Clear()
        Dim dt As New DataTable
        Dim strsql = "SELECT * From tbl_pcperipherals WHERE ProductName LIKE @field1"
        Using objconn As New MySqlConnection("Your connection string"),
                objcmd As New MySqlCommand(strsql, objconn)
            objcmd.Parameters.AddWithValue("@field1", txtsearch.Text & "%")
            objconn.Open()
            Using reader = objcmd.ExecuteReader
                dt.Load(reader)
            End Using 'closes and disposes reader
        End Using 'disposes objcmd and closes and disposes objconn
        For Each row As DataRow In dt.Rows
            With ListView1.Items.Add(row("ProductID").ToString)
                .SubItems.Add(row("ProductName").ToString)
                .SubItems.Add(row("ProductBrand").ToString)
                .SubItems.Add(row("ProductCategory").ToString)
                .SubItems.Add(row("ProductQuantity").ToString)
                .SubItems.Add(row("ProductDescription").ToString)
                .SubItems.Add(row("ProductManufacturer").ToString)
                .SubItems.Add(row("Stock").ToString)
                .SubItems.Add(row("Supplier").ToString)
                .SubItems.Add(row("ContactNo").ToString)
            End With
        Next
    Catch ex As Exception
        MsgBox(ex.Message)
    End Try
End Sub
于 2021-11-14T22:14:21.283 回答
0

大家好,感谢您回答这个问题,我已经修复了它,我稍微更改了代码并删除了 sql 注入漏洞。

这解决了我的问题

SELECT * FROM tbl_pcperipherals WHERE ProductName LIKE  @field1 '%'"

在这里,我的代码中的更改和 sql 注入漏洞被删除并更改为此。

       Private Sub Btnsearch_Click(sender As Object, e As EventArgs) Handles btnsearch.Click
    Try
        ListView1.Items.Clear()
        'Safe in SQL iNJECT'
        objcmd = New MySql.Data.MySqlClient.MySqlCommand("SELECT * FROM tbl_pcperipherals WHERE ProductName LIKE  @field1 '%'", objconn)
        'Unsafe Vulnerable in SQL INJECT'
        'strsql = "SELECT tbl_pcperipherals WHERE ProductName LIKE concat(@field1, '%')"'
        'objcmd = New MySql.Data.MySqlClient.MySqlCommand(strsql, objconn)' 
        With objcmd
            .Parameters.AddWithValue("@field1", txtsearch.Text)
        End With
        objdr = objcmd.ExecuteReader
        While (objdr.Read)
            With ListView1.Items.Add(objdr("ProductID"))
                .SubItems.add(objdr("ProductName"))
                .subitems.add(objdr("ProductBrand"))
                .subitems.add(objdr("ProductCategory"))
                .subitems.add(objdr("ProductQuantity"))
                .subitems.add(objdr("ProductDescription"))
                .subitems.add(objdr("ProductManufacturer"))
                .subitems.add(objdr("Stock"))
                .subitems.add(objdr("Supplier"))
                .subitems.add(objdr("ContactNo"))
            End With
        End While
        objcmd.Dispose()
        objdr.Close()
    Catch ex As Exception
        MsgBox(ex.Message)
        Me.fillsview()
    End Try
End Sub
于 2021-11-27T11:42:46.220 回答
0

LIKE以错误的方式构建匹配的字符串..尝试起诉

    "SELECT * from tbl_pcperipherals WHERE ProductName LIKE concat(@field1, '%')"
于 2021-11-14T12:07:57.403 回答