SQL Command.ExecuteReader vb.net

Question

我正在尝试使用SQL Express 2012和vb.net的登录表单.我有数据库连接,现在我有以下问题; 代码附近'='附近的语法不正确; data = command.ExecuteReader有什么建议吗？这是代码谢谢!!!!!!!

Imports System.Data.SqlClient
Imports System.Data.OleDb


Public Class login
Private Sub login_user_Click(sender As Object, e As EventArgs) Handles login_user.Click
    Dim conn As New SqlConnection
    If conn.State = ConnectionState.Closed Then
        conn.ConnectionString = ("Server=192.168.0.2;Database=Sunshinetix;User=sa;Password=sunshine;")
    End If

    Try
        conn.Open()
        Dim sqlquery As String = "SELECT = FROM Users Where Username = '" & username_user.Text & "';"
        Dim data As SqlDataReader
        Dim adapter As New SqlDataAdapter
        Dim command As New SqlCommand
        command.CommandText = sqlquery
        command.Connection = conn
        adapter.SelectCommand = command
        data = command.ExecuteReader()
        While data.Read
            If data.HasRows = True Then
                If data(2).ToString = password_user.Text Then
                    MsgBox("Sucsess")
                Else
                    MsgBox("Login Failed! Please try again or contact support")
                End If
            Else
                MsgBox("Login Failed! Please try again or contact support")
            End If
        End While
    Catch ex As Exception

    End Try
End Sub

结束班

Answer 1

问题是你的查询SELECT = FROM显然是正确语法错字SELECT * FROM.

请参阅我的代码以避免 SqlInjection

试试这段代码:

 Dim conn As New SqlConnection
    If conn.State = ConnectionState.Closed Then
        conn.ConnectionString = ("Server=192.168.0.2;Database=Sunshinetix;User=sa;Password=sunshine;")
    End If

    Try
        conn.Open()
        Dim sqlquery As String = "SELECT * FROM Users Where Username = @user;"

        Dim data As SqlDataReader
        Dim adapter As New SqlDataAdapter
        Dim parameter As New SqlParameter
        Dim command As SqlCommand = New SqlCommand(sqlquery, conn)
        With command.Parameters
            .Add(New SqlParameter("@user", password_user.Text))
        End With
        command.Connection = conn
        adapter.SelectCommand = command
        data = command.ExecuteReader()
        While data.Read
            If data.HasRows = True Then
                If data(2).ToString = password_user.Text Then
                    MsgBox("Sucsess")
                Else
                    MsgBox("Login Failed! Please try again or contact support")
                End If
            Else
                MsgBox("Login Failed! Please try again or contact support")
            End If
        End While
    Catch ex As Exception

    End Try

我建议您使用参数化查询来避免SQL注入

Answer 2

更改

SELECT = FROM Users ....

至

SELECT * FROM Users ....