您的SQL语法中有错误...'''附近
这是我的桌子.
试图制作一个"忘记密码表".
一遍又一遍地得到同样的错误.需要你的帮助.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
这是我的代码.
Private Sub Button1_Click(sender As System.Object, e As System.EventArgs) Handles Button1.Click
Dim con As New MySqlConnection("host=localhost; username=root; database= login")
Dim cmd As New MySqlCommand
Dim dr As MySqlDataReader
con.Open()
cmd.Connection = con
cmd.CommandText = "select 'from users where userID= ' " & userTxt.Text & " ' and secretQ = ' " & qTxt.Text & " 'and answer= ' " & ansTxt.Text & "' "
dr = cmd.ExecuteReader
If Not dr Is Nothing Then
dr.Read()
pwTxt.Text = dr(2)
dr.Close()
Else
MsgBox("Invalid Username or Password.")
End If
End Sub
你的SQL查询中有一个引用,删除它
select 'from users
^
您还应该使用参数化查询.它不仅会阻止SQL注入,还会转义值中的字符,例如引号.
例:
cmd.CommandText = "select from users
where userID= @userID
and secretQ = @secretQ
and answer= @answer"
cmd.Parameters.AddWithValue("@userID ", userTxt.Text)
cmd.Parameters.AddWithValue("@secretQ", qTxt.Text)
cmd.Parameters.AddWithValue("@answer", ansTxt.Text)
dr = cmd.ExecuteReader
要明确:
cmd.Parameters.Add("@userID", MySqlDbType.VarChar).Value = userTxt.Text
cmd.Parameters.Add("@secretQ", MySqlDbType.VarChar).Value = qTxt.Text
cmd.Parameters.Add("@answer", MySqlDbType.VarChar).Value = ansTxt.Text