Imports System.Configuration
Imports System.Data.Common
'还需要引用system.configuration
app.config中配置连接字符串
<configuration>
<connectionStrings>
<add name="数据工厂测试.My.MySettings.Setting" connectionString="Data Source=wangli;Initial Catalog=VideoGames;Persist Security Info=True;User ID=sa;Password=sa"
providerName="System.Data.sqlClient" />
<add name ="VideoGameStoreDb" connectionString ="Data Source=wangli;Initial Catalog=VideoGames;Persist Security Info=True;User ID=sa;Password=sa"
providerName="System.Data.sqlClient"/>
</connectionStrings>
</configuration>
Public Class ClsFactory Public Sub Delete(ByVal pId As Integer) '获得连接字符串 Dim css As ConnectionStringSettings css = ConfigurationManager.ConnectionStrings("VideoGameStoreDb") '在数据连接的上建立工厂类 Dim Factory As DbProviderFactory Factory = DbProviderFactories.GetFactory(css.ProviderName) '建立连接 ,执行任务 Using conn As DbConnection = Factory.CreateConnection conn.ConnectionString = css.ConnectionString '生成命令 Using cmd As DbCommand = Factory.CreateCommand cmd.Connection = conn cmd.CommandType = CommandType.Text cmd.CommandText = "delete from customer where customerId=@id" '创建ID参数 Dim paramID As DbParameter paramID = Factory.CreateParameter paramID.ParameterName = "@id" paramID.Value = pId cmd.Parameters.Add(paramID) '打开连接,执行 conn.Open() Dim count As Integer count = cmd.ExecuteNonQuery conn.Close() If count < 1 Then Throw New ArgumentOutOfRangeException("id","序号没有找到") End If End Using End Using End Sub End Class
'为了降低sql注入攻击的威胁(sql injection),建议使用参数,而不要使用字符串的连接。恶意sql代码可能通过字符串的连接而执行。如:操作者可能在某一字段 输入一个右引号,后面跟完整sql语句。由于该字符串会被追加到SELECT 语句的后面,引事情后的语句便会执行。