问题
I got this code from this site and now I need to add some change.
I know I acted fool here.
I searched many and got stuck in here. I wanted to add 1 to the sql table @subject column where @name is the row. @subject and @name are changing. That is why parameters used.
Dim sql As String = "UPDATE attendance.student SET @subject = @subject +1 WHERE S_name = @name;”
Dim conn As MysqlConnection
Try conn = New MySqlConnection(ConnectionString)
Dim cmd As New MySqlCommand(sql, conn)
cmd.Parameters.Add(“@subject”, MySqlDbType.VarString, 20).Value = TextBox4.Text
cmd.Parameters.Add(“@name”, MySqlDbType.VarString, 50).Value = TextBox1.Text
回答1:
You must do this, to get it running But it must be clear this is vulnurable to sql injection
So you must check TextBox4.Text for valid content.
Dim sql As String = "UPDATE attendance.student SET `" & TextBox4.Text & "` = `" & TextBox4.Text & "` +1 WHERE S_name = @name;”
Dim conn As MysqlConnection
Try conn = New MySqlConnection(ConnectionString)
Dim cmd As New MySqlCommand(sql, conn)
cmd.Parameters.Add(“@name”, MySqlDbType.VarString, 50).Value = TextBox1.Text
来源:https://stackoverflow.com/questions/61969294/update-mysql-table-according-to-different-conditions