在VB6里的一条数据库更新语句:
update Ass_UserPass set username='" & txtName & "',department='" & cboBm.Text & "',UsFunction='" & cboLb.Text & "',pword='" & strPassStor & "' where user_id='" & lblId & "'
由于 strPassStor 是经加密运算得出,所以这种写法会有错误,因为产生的密码中会有特殊字符。
于是想用参数化查询的方式:
Set Cmd = New ADODB.Command
strSql = "update Ass_UserPass set username='" & txtName & "',department='" & cboBm.Text & "',UsFunction='" & cboLb.Text & "',pword=@Pword where user_id='" & lblId & "' "
With Cmd
.Prepared = False
.CommandText = strSql
.CommandType = adCmdText
.NamedParameters = True
.Parameters.Append .CreateParameter("@Pword", adVarChar, adParamInput, 32, strPassStor)
Set .ActiveConnection = cnErp
.Execute
End With
结果提示变量“@Pword ”未定义,试了好多次都不能解决参数化查询问题,网上也只有调用存储过程的例子。请问如何实现Sql语句中带参数的查询呢?谢谢!
update Ass_UserPass set username='" & txtName & "',department='" & cboBm.Text & "',UsFunction='" & cboLb.Text & "',pword='" & strPassStor & "' where user_id='" & lblId & "'
由于 strPassStor 是经加密运算得出,所以这种写法会有错误,因为产生的密码中会有特殊字符。
于是想用参数化查询的方式:
Set Cmd = New ADODB.Command
strSql = "update Ass_UserPass set username='" & txtName & "',department='" & cboBm.Text & "',UsFunction='" & cboLb.Text & "',pword=@Pword where user_id='" & lblId & "' "
With Cmd
.Prepared = False
.CommandText = strSql
.CommandType = adCmdText
.NamedParameters = True
.Parameters.Append .CreateParameter("@Pword", adVarChar, adParamInput, 32, strPassStor)
Set .ActiveConnection = cnErp
.Execute
End With
结果提示变量“@Pword ”未定义,试了好多次都不能解决参数化查询问题,网上也只有调用存储过程的例子。请问如何实现Sql语句中带参数的查询呢?谢谢!
本范例使用 Append 和 CreateParameter 方法执行具有输入参数的存储过程。'BeginAppendVB
'To integrate this code
'replace the data source and initial catalog values
'in the connection string
Public Sub Main()
On Error GoTo ErrorHandler
'recordset, command and connection variables
Dim Cnxn As ADODB.Connection
Dim cmdByRoyalty As ADODB.Command
Dim prmByRoyalty As ADODB.Parameter
Dim rstByRoyalty As ADODB.Recordset
Dim rstAuthors As ADODB.Recordset
Dim strCnxn As String
Dim strSQLAuthors As String
Dim strSQLByRoyalty As String
'record variables
Dim intRoyalty As Integer
Dim strAuthorID As String
' Open connection
Set Cnxn = New ADODB.Connection
strCnxn = "Provider='sqloledb';Data Source='MySqlServer';" & _
"Initial Catalog='Pubs';Integrated Security='SSPI';"
Cnxn.Open strCnxn
' Open command object with one parameter
Set cmdByRoyalty = New ADODB.Command
cmdByRoyalty.CommandText = "byroyalty"
cmdByRoyalty.CommandType = adCmdStoredProc
' Get parameter value and append parameter
intRoyalty = Trim(InputBox("Enter royalty:"))
Set prmByRoyalty = cmdByRoyalty.CreateParameter("percentage", adInteger, adParamInput)
cmdByRoyalty.Parameters.Append prmByRoyalty
prmByRoyalty.Value = intRoyalty
' Create recordset by executing the command
Set cmdByRoyalty.ActiveConnection = Cnxn
Set rstByRoyalty = cmdByRoyalty.Execute
' Open the Authors Table to get author names for display
' and set cursor client-side
Set rstAuthors = New ADODB.Recordset
strSQLAuthors = "Authors"
rstAuthors.Open strSQLAuthors, Cnxn, adUseClient, adLockOptimistic, adCmdTable
' Print recordset adding author names from Authors table
Debug.Print "Authors with " & intRoyalty & " percent royalty"
Do Until rstByRoyalty.EOF
strAuthorID = rstByRoyalty!au_id
Debug.Print " " & rstByRoyalty!au_id & ", ";
rstAuthors.Filter = "au_id = '" & strAuthorID & "'"
Debug.Print rstAuthors!au_fname & " " & rstAuthors!au_lname
rstByRoyalty.MoveNext
Loop
' clean up
rstByRoyalty.Close
rstAuthors.Close
Cnxn.Close
Set rstByRoyalty = Nothing
Set rstAuthors = Nothing
Set Cnxn = Nothing
Exit Sub
ErrorHandler:
' clean up
If Not rstByRoyalty Is Nothing Then
If rstByRoyalty.State = adStateOpen Then rstByRoyalty.Close
End If
Set rstByRoyalty = Nothing
If Not rstAuthors Is Nothing Then
If rstAuthors.State = adStateOpen Then rstAuthors.Close
End If
Set rstAuthors = Nothing
If Not Cnxn Is Nothing Then
If Cnxn.State = adStateOpen Then Cnxn.Close
End If
Set Cnxn = Nothing
If Err <> 0 Then
MsgBox Err.Source & "-->" & Err.Description, , "Error"
End If
End Sub
'EndAppendVB
窗体:
Private Sub Command3_Click()
Dim db As New AdoByCs
db.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & App.Path & "\db1.mdb" & ";Persist Security Info=False"
db.OpenDatabaseDim iAffectedRows
Dim iResult
Dim vData(1, 4)
vData(0, 0) = "Cs_ID"
vData(0, 1) = 3
vData(0, 2) = 4
vData(0, 3) = 1iResult = db.PrepareScalar("SELECT COUNT(*) FROM 表1 WHERE ID=@Cs_ID", vData)MsgBox "Rows: " & iResultdb.CloseDatabase
Set db = Nothing
End Sub'-----------------------------
'以下的建一个类,类名:AdoByCs
Option ExplicitPrivate connStr As String
Private conn As ADODB.Connection' 打开数据库连接
Sub OpenDatabase(Optional Mdb As String, Optional Pass As String)
Set conn = New ADODB.Connection
If connStr = "" Then
connStr = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" & Mdb '使打开的连接与Command对象关联 End If
conn.ConnectionString = connStr
conn.Open
End Sub' 关闭数据库连接
Sub CloseDatabase()
conn.Close
Set conn = Nothing
End Sub' 执行参数 INSERT/UPDATE/DELETE 查询
' -------------------------------------------------------------------------------------
' @Parameter vSql 将要执行的 SQL 语句。
' @Parameter iAffectedRows 返回查询所影响的行数。
' @Parameter vData 参数数组(二维)。
' -------------------------------------------------------------------------------------
Public Sub PrepareExecute(ByVal vSql As String, Optional ByRef iAffectedRows As Variant, Optional ByRef vData As Variant)
Dim oCommand As New ADODB.Command
Dim oParameter As Parameter
oCommand.ActiveConnection = conn
oCommand.Prepared = True
oCommand.CommandType = adCmdText
oCommand.CommandText = vSql
If Not IsMissing(vData) Then
Dim i As Integer
Dim size As Integer
size = UBound(vData, 1) - 1
For i = 0 To size Step 1
Set oParameter = oCommand.CreateParameter("@" & vData(i, 0), CInt(vData(i, 1)), adParamInput, CInt(vData(i, 2)), vData(i, 3))
oCommand.Parameters.Append oParameter
Next
End If
oCommand.Execute iAffectedRows
Set oCommand = Nothing
End Sub' 执行无参数 INSERT/UPDATE/DELETE 查询
' -------------------------------------------------------------------------------------
' @Parameter vSql 将要执行的 SQL 语句。
' @Parameter iAffectedRows 返回查询所影响的行数。
' -------------------------------------------------------------------------------------
Public Sub Exec(ByVal vSql As String, Optional ByRef iAffectedRows As Variant)
Dim oCommand As New ADODB.Command
oCommand.ActiveConnection = conn
oCommand.CommandType = adCmdText
oCommand.CommandText = vSql
oCommand.Execute iAffectedRows
Set oCommand = Nothing
End Sub' 执行统计查询
' -------------------------------------------------------------------------------------
' @Parameter vSql 将要执行的 SQL 语句。
' @Parameter vData 参数数组(二维)。
'
' @Return Integer 返回统计记录数。
' -------------------------------------------------------------------------------------
Public Function PrepareScalar(ByVal vSql As String, Optional ByRef vData As Variant)
Dim iResult As Integer
Dim oCommand As New ADODB.Command
Dim oResult As ADODB.Recordset
Dim oParameter
oCommand.ActiveConnection = conn
oCommand.Prepared = True
oCommand.CommandType = adCmdText
oCommand.CommandText = vSql
If Not IsMissing(vData) Then
Dim i As Integer
Dim size As Integer
size = UBound(vData, 1) - 1
For i = 0 To size Step 1
Set oParameter = oCommand.CreateParameter("@" & vData(i, 0), CInt(vData(i, 1)), adParamInput, CInt(vData(i, 2)), vData(i, 3))
oCommand.Parameters.Append oParameter
Next
End If
Set oResult = New ADODB.Recordset
oResult.Open oCommand, , adOpenForwardOnly, adLockReadOnly
If Not oResult.EOF Then
iResult = CInt(oResult.Fields(0).Value)
End If
oResult.Close
Set oResult = Nothing
Set oCommand = Nothing
PrepareScalar = iResult
End Function' 设置连接字符串
Public Property Let ConnectionString(ByVal vNewValue As String)
connStr = vNewValue
End Property
Dim CMD As ADODB.Command
Set CMD = New ADODB.Command
strSql = "update 表1 set 用户=@Pword"
With CMD
'.Prepared = False
'.CommandText = strSql
'.CommandType = adCmdText
'.NamedParameters = True
.Prepared = True
.CommandType = adCmdText
.CommandText = strSql
.Parameters.Append .CreateParameter("@Pword", adVarChar, adParamInput, 32, Text1)
Set .ActiveConnection = db.conn
.Execute
End With
'---------------------------------
db.CloseDatabase
Set db = Nothing
或
pword=' & @Pword & "..."
cmd.parameters.add(cmd.parameters.createparameter("@id",adint)
cmd.commandtext=='select * from tblTemp where id=@id"
...
Dim cn As ADODB.Connection
Dim cmd As ADODB.Command
Dim i As Long
Dim arr As Variant
Set cn = New ADODB.Connection
cn.Open "....."
Set cmd = New ADODB.Command
With cmd
.ActiveConnection = cn
.CommandType = adCmdText
.CommandText = "select * from tb where ID=? and Name=? "
arr = Array(12, "张三") '这种方法可以简单传递多个参数
For i = 0 To .Parameters.Count - 1
.Parameters(i).Value = arr(i)
Next
.Execute
End With
Set cmd = Nothing
Set cn = Nothing
如此参数化查询就这样简单,不但省去你程序中拼接sql的麻烦,而且高效安全...
是不是说update中的参数是不可以这样做的?因为我试过直接用
.Parameters(0).Value = "XXXXX"
这样是不行的,因为Parameters里面还没有一个元素呢,提示找不到项目
update tb set name=? where id=?
insert into tb(id,name) values(?,?)
要注意的是参数赋值必须和sql语句中的参数次序一致....
也不只适用于存储过程,access可以用关键字PARAMETERS指定参数化查询中的参数名称和类型...
不知道你什么数据库,不是所有数据引擎都支持Parameters的序列化...
你可以参考:http://blog.csdn.net/vbman2003/archive/2010/12/06/6057503.aspx
strSQL = "update Ass_UserPass set username='" & txtName & "',department='" & cboBm.Text & "',UsFunction='" & cboLb.Text & "',pword= '" & cmd.Parameters("@t").Value & "' where user_id='" & lblId & "' "
With cmd
.Prepared = False
.CommandType = adCmdText
.NamedParameters = True
.Parameters.Append .CreateParameter("@Pword", adVarChar, adParamInput, 32, strPassStor)
Set .ActiveConnection = cnErp
.CommandText = strSQL
.Execute
End With
arr = Array(12, "张三")
....
.Parameters(i).Value = arr(i)
而我是将一个实际的值给了参数
.Parameters(i).Value ="张三"
题诗大概就是说参数里元素个数为零,也就是Parameters.Count =0
你的这种用法对吗?
你仔细看我示例,包括cmd参数的设置...
唉,不想多说了,只能告诉你这个方法我现在正用着....回个贴觉得累,看来真老了...
我是用的ado2.8啊。不过确实在现在的工程里测试的直接赋值,而你是赋id和name两个值,并把它先放到array里。但在我这边确是不好用的,你说新建工程测,但那又会有何不同呢?Parameters没有Add,count不是0吗?
只不过当时我用的是cmd.Parameters(0),而你使用的是.Parameters("@t"),我倒真没这样用过。不过呢,不管能不能行,这种用法似乎不是正规的参数用法。
adParamOutput 不要传参数....