在 vb.net 中添加记录并使用 elseif 检查记录是否存在
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20649548/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Adding records in vb.net and Checking if records exist using elseif
提问by Sam Teng Wong
I'm new to vb.net.. so sorry in advance. can anyone help me what's wrong with my elseif line of code.
我是 vb.net 的新手 .. 所以提前抱歉。任何人都可以帮助我我的 elseif 代码行有什么问题。
Dim con As SqlConnection = New SqlConnection("Data Source=PC11-PC\kim;Initial Catalog=ordering;User ID=sa;Password=123")
Dim cmd1 As SqlCommand = New SqlCommand("Select * from Customer", con)
Dim first1 As String
Dim second2 As String
first1 = "FirstName"
second2 = "LastName"
con.Open()
If TextBox1.Text = "" Or TextBox2.Text = "" Then
MsgBox("Please fill-up all fields!", MsgBoxStyle.Exclamation, "Add New Customer!")
'this will supposedly display error message for "User Already Exist"
' ElseIf textbox1.text = first1 and textbox2.text = second2 Then
' MsgBox("User Already Exist!", MsgBoxStyle.Exclamation, "Add New User!")
Else
Dim cmd As SqlCommand = New SqlCommand("Insert into [ordering].[dbo].[Customer] ([FirstName],[LastName]) values ('" + TextBox1.Text + "','" + TextBox2.Text + "')", con)
cmd.ExecuteNonQuery()
MsgBox("Records Successfully Added!", MsgBoxStyle.Information, "Add New Customer!")
TextBox1.Text = ""
TextBox2.Text = ""
con.Close()
End If
回答by Karl Anderson
You need to actually check to see if the user already exists by executing the SELECT * FROM Customerquery, but you need to add the WHEREclause, like this:
您需要通过执行SELECT * FROM Customer查询来实际检查用户是否已经存在,但是您需要添加WHERE子句,如下所示:
If TextBox1.Text = "" Or TextBox2.Text = "" Then
MsgBox("Please fill-up all fields!", MsgBoxStyle.Exclamation, "Add New Customer!")
Else
Dim theQuery As String = "SELECT * FROM Customer WHERE FirstName=@FirstName AND LastName=@LastName"
Dim cmd1 As SqlCommand = New SqlCommand(theQuery, con)
cmd1.Parameters.AddWithValue("@FirstName", TextBox1.Text)
cmd1.Parameters.AddWithValue("@LastName", TextBox2.Text)
Using reader As SqlDataReader = cmd1.ExecuteReader()
If reader.HasRows Then
' User already exists
MsgBox("User Already Exist!", MsgBoxStyle.Exclamation, "Add New User!")
Else
' User does not exist, add them
Dim cmd As SqlCommand = New SqlCommand("Insert into [ordering].[dbo].[Customer] ([FirstName],[LastName]) values ('" + TextBox1.Text + "','" + TextBox2.Text + "')", con)
cmd.ExecuteNonQuery()
MsgBox("Records Successfully Added!", MsgBoxStyle.Information, "Add New Customer!")
TextBox1.Text = ""
TextBox2.Text = ""
End If
End Using
con.Close()
End If
Note: I added the usage of a parameterized query in the
SELECT *query. You should prefer parameterized queries to in-line SQL because it will protect your code from SQL Injection attacks. Never trust the data typed in by the user.
注意:我在查询中添加了参数化查询的用法
SELECT *。与内联 SQL 相比,您应该更喜欢参数化查询,因为它可以保护您的代码免受 SQL 注入攻击。永远不要相信用户输入的数据。
