C# 在sql数据库表中插入新行

Question

提问by Victor Mukherjee

I have textBoxes in my application. The data entered in those textBoxes are to be inserted in the database. The commandString accepts string type only. So, how can I implement the insert statement?

我的应用程序中有文本框。在这些文本框中输入的数据将被插入到数据库中。commandString 只接受字符串类型。那么，如何实现插入语句呢？

string cmdString="INSERT INTO books (name,author,price) VALUES (//what to put in here?)"

Do I need to join the cmdString with textBox.Text for each value or is there a better alternative available?

对于每个值，我是否需要将 cmdString 与 textBox.Text 连接起来，还是有更好的替代方法？

Answer 1

采纳答案by John Woo

use Commandand Parameterto prevent from SQL Injection

使用Command和Parameter防止SQL Injection

// other codes
string cmdString="INSERT INTO books (name,author,price) VALUES (@val1, @va2, @val3)";
using (SqlCommand comm = new SqlCommand())
{
    comm.CommandString = cmdString;
    comm.Parameters.AddWithValue("@val1", txtbox1.Text);
    comm.Parameters.AddWithValue("@val2", txtbox2.Text);
    comm.Parameters.AddWithValue("@val3", txtbox3.Text);
    // other codes.
}

full code:

完整代码：

string cmdString="INSERT INTO books (name,author,price) VALUES (@val1, @va2, @val3)";
string connString = "your connection string";
using (SqlConnection conn = new SqlConnection(connString))
{
    using (SqlCommand comm = new SqlCommand())
    {
        comm.Connection = conn;
        comm.CommandString = cmdString;
        comm.Parameters.AddWithValue("@val1", txtbox1.Text);
        comm.Parameters.AddWithValue("@val2", txtbox2.Text);
        comm.Parameters.AddWithValue("@val3", txtbox3.Text);
        try
        {
            conn.Open();
            comm.ExecuteNonQuery();
        }
        Catch(SqlException e)
        {
            // do something with the exception
            // don't hide it
        }
    }
}

Answer 2

回答by Michael Viktor Starberg

You want to protect yourself from SQL Injection. Building up sql from strings is if not bad practice, at least very scary.

您想保护自己免受 SQL 注入。从字符串构建 sql 是一种不好的做法，至少非常可怕。

How To: Protect From SQL Injection in ASP.NET http://msdn.microsoft.com/en-us/library/ff648339.aspx

如何：防止 ASP.NET 中的 SQL 注入 http://msdn.microsoft.com/en-us/library/ff648339.aspx

50 ways to inject your sql http://www.youtube.com/watch?v=5pSsLnNJIa4

注入 sql 的 50 种方法 http://www.youtube.com/watch?v=5pSsLnNJIa4

Entity Framework http://msdn.microsoft.com/en-us/data/ef.aspx

实体框架 http://msdn.microsoft.com/en-us/data/ef.aspx

C# 在sql数据库表中插入新行

提问by Victor Mukherjee

采纳答案by John Woo

回答by Michael Viktor Starberg

相关推荐

最近更新

标签

C# 在sql数据库表中插入新行

提问by Victor Mukherjee

采纳答案by John Woo

回答by Michael Viktor Starberg

相关推荐

如何在 C# 中不显示 PrintDialog() 直接打印 rdlc 报告？

C# 如何初始化泛型参数类型T？

C# 在asp.net中从母版页到子页获取值

C# #if 预处理器指令，用于除 DEBUG 之外的指令

相关推荐

最近更新

标签