如何使用存储过程从ASP.NET C#向SQL Server插入记录 [英] How to insert records using stored procedure from ASP.NET C# to SQL server

查看:51
本文介绍了如何使用存储过程从ASP.NET C#向SQL Server插入记录的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述



在我的页面中包含文本框,下拉列表和文件上传控件。

我使用存储过程插入记录,但我无法插入。请帮助我解决这个问题。



我的尝试:



< b>我的程序是:



ALTER程序[dbo]。[supsp]

(@Supplier_Id [nvarchar]( 50),@ Supplier_Company_Name [nvarchar](max),@ Supplier_Rep_Name [nvarchar](50),

@Address [nvarchar](max),@ State [nvarchar](50),@ City [ nvarchar](50),@ Pincode int,@ Contact_No int,

@Email_Id [nvarchar](max),@ License [nvarchar](max),@ Photo [nvarchar](max),@ Ac_Holder_Name [nvarchar](50),@ Ac_Number int,

@Ac_Type [nvarchar](50),@ Bank_Name [Nvarchar](50),@ Branch_Code int,@ Branch_Location [nvarchar](50) ,@ Ifsc_Code [nvarchar](50),

@Supplier_Joining_Date date,@ Supplier_History [nvarchar](50))

as

begin

插入供应商价值(@Supplier_Id, @ Supplier_Company_Name,@ Supplier_Rep_Name,@地址,@国家,@市@邮递区号,@ Contact_No,@ EMAIL_ID,@许可,@照片,@ Ac_Holder_Name,@ Ac_Number,@ Ac_Type,@ BANK_NAME,@ Branch_Code,@ Branch_Location,@ Ifsc_Code ,@ Supplier_Joining_Date,@ Supplier_History)

end





我的C#代码是:



protected void Button1_Click(object sender,EventArgs e)

{

SqlConnection con = new SqlConnection(Data Source = AERONIC_002- PC \\SQLEXPRESS; Initial Catalog = smarket; Integrated Security = True);



string st = Server.MapPath(Supplier files /);

if(licenseupld.HasFile)

{

试试

{



licenseupld.SaveAs(st + licenseupld.FileName);

photoupld.SaveAs(st + photoupld.FileName);

string d1 =〜/供应商文件/+ licenseupld.FileName;

string d2 =〜/ Supplier Files /+ photoupld.FileName;

// SqlCommand cmd = new SqlCommand(插入供应商值('+ sid.Text + ','+ scn.Text +','+ srn.Text +','+ addr.Text +','+ ddlsta.SelectedItem.Value +','+ ddlcit.SelectedItem .Value +','+ pncd.Text.ToString()+','+ scno.Text.ToString()+','+ email.Text +','+ d1 + ','+ d2 +','+ achn.Text +','+ acno.Text.ToString()+','+ ddlactype.SelectedItem.Value +','+ notb .Text +','+ bc.Text.ToString()+','+ bl.Text +','+ ifsc.Text +','+ sjd.Text +', '+ sh.Text +'),con);

//cmd.CommandType = CommandType.Text;

SqlCommand cmd = new SqlCommand(supsp ,con);

cmd.CommandType = CommandType.StoredProcedure;

cmd.Parameters.AddWithValue(@ Su pplier_Id,sid.Text);

cmd.Parameters.AddWithValue(@ Supplier_Company_Name,scn.Text);

cmd.Parameters.AddWithValue(@ Supplier_Rep_Name ,srn.Text);

cmd.Parameters.AddWithValue(@ Address,addr.Text);

cmd.Parameters.AddWithValue(@ state,ddlsta .Text);

cmd.Parameters.AddWithValue(@ City,ddlcit.Text);

cmd.Parameters.AddWithValue(@ Pincode,pncd.Text .ToString());

cmd.Parameters.AddWithValue(@ Contact_No,scno.Text.ToString());

cmd.Parameters.AddWithValue(@ Email_Id,email.Text);

cmd.Parameters.AddWithValue(@ License,d1);

cmd.Parameters.AddWithValue(@ Photo,d2 );

cmd.Parameters.AddWithValue(@ Ac_Holder_Name,achn.Text);

cmd.Parameters.AddWithValue(@ Ac_Number, acno.Text.ToString());

cmd.Parameters.AddWithValue(@ Ac_Type,ddlactype.Text);

cmd.Parameters.AddWithValue(@ Bank_Name ,notb.Text);

cmd.Parameters.AddWithValue(@ Branch_Code,bc.Text.ToString());

cmd.Parameters.AddWithValue( @Branch_Location,bl.Text);

cmd.Parameters.AddWithValue(@ Ifsc_Code,ifsc.Text);

cmd.Parameters.AddWithValue(@ Supplier_Joining_Date ,sjd.Text.ToString());

cmd.Parameters.AddWithValue(@ Supplier_History,sh.Text);

con.Open();

cmd.ExecuteNonQuery();

ScriptManager.RegisterStartupScript(this,this.GetType(),alert,alert('Registerfullyfully'); window.location = 'Supplier.aspx';,true);



// Label21.Visible = true;

//Label21.Text =成功插入;

con.Close();

// loadstores();

genarateautoid() ;

clearvalues();

// Page.Response.Redirect(Product.aspx);



}



catch(exception ex)

{

throw ex;



// StatusLabel.Text =上传状态:无法上传文件。发生以下错误:+ ex.Message;

}

}



}

解决方案

如果您的代码甚至不使用它们,您是否设置了参数?

该代码存在很多问题:

1)它对SQLInjection很开放:不要连接字符串来构建SQL命令。它会让您对意外或故意的SQL注入攻击敞开大门,这可能会破坏整个数据库。请使用参数化查询。

2)你提供了一堆参数,但你没有在INSERT语句中使用它们。

3)你已经编写了一个存储过程,但是你没有尝试使用它。

4)无论如何你的INSERT都不是特别安全 - 总是在INSERT语句中列出你要INSERT的列 - 这样,参数顺序或列定义的任何更改都不会破坏你的代码。

所以,总是使用

  INSERT   INTO  MyTable(ColumnName1,ColumnName2) VALUES   @ ParForCol1  @ ParForCol2



致电SP:

 使用(SqlCommand cmd =  new  SqlCommand(  MyStoredProcedure,con))
 {
 cmd.CommandType = CommandType.StoredProcedure; 
 cmd.Parameters.AddWithValue(  @ Name,tbTextBoxWithNameIn.Text); 
 cmd.ExecuteNonQuery(); 
}


您的过程中有些fieds是整数。但传递的值是字符串。

例如:INT中的密码并且您正在传递



cmd.Parameters.AddWithValue(" @ Pincode",pncd.Text.ToString());



请检查您的数据类型...



我正在粘贴一个示例代码,这将使您的代码变得简单:





sql程序:



创建过程insert_data(@ val1 varchar(50),@ val2 varchar(50),@ val3 varchar(50))

as

insert into myTable(col1,col2,col3)值(@ val1,@ val2,@ val3)





公共类参数

{

public string val1 = {get; set;}

public string val2 = {get; set;}

public string val3 = {get; set;}

}



public void YourMethodOrEvent()

{

参数param = new parameters();

param.val1 = txt1.Text;

param.val2 = txt2.Text;

param.val3 = txt3.Text;

InsertData(param);

}



public void InsertData(参数参数)

{

connection();

SqlCommand cmd = new SqlCommand(" sp_insert_data",con);

cmd.CommandType = CommandType.StoredProcedure;

cmd.Parameters.Add(" @ val1",param.val1);

cmd.Parameters.Add(" @ val2",param.val2);

cmd.Parameters.Add(" @ val3",param.val3);

cmd.ExecuteNonQuery();

}

Hi,
In my page contains textboxes,dropdown and file upload controls.
I am using stored procedure for inserting record,but i cannot insert.Please help me to resolve this problem.

What I have tried:

My procedure is:

ALTER procedure [dbo].[supsp]
(@Supplier_Id [nvarchar](50),@Supplier_Company_Name [nvarchar](max),@Supplier_Rep_Name [nvarchar](50),
@Address [nvarchar](max),@State [nvarchar](50),@City [nvarchar](50),@Pincode int,@Contact_No int,
@Email_Id [nvarchar](max),@License [nvarchar](max),@Photo [nvarchar](max),@Ac_Holder_Name [nvarchar](50),@Ac_Number int,
@Ac_Type [nvarchar](50),@Bank_Name [Nvarchar](50),@Branch_Code int,@Branch_Location [nvarchar](50),@Ifsc_Code [nvarchar](50),
@Supplier_Joining_Date date,@Supplier_History [nvarchar](50))
as
begin
insert into Supplier values(@Supplier_Id,@Supplier_Company_Name,@Supplier_Rep_Name,@Address,@State,@City,@Pincode,@Contact_No,@Email_Id,@License,@Photo,@Ac_Holder_Name,@Ac_Number,@Ac_Type,@Bank_Name,@Branch_Code,@Branch_Location,@Ifsc_Code,@Supplier_Joining_Date,@Supplier_History)
end


My C# code is:

protected void Button1_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection("Data Source=AERONIC_002-PC\\SQLEXPRESS;Initial Catalog=smarket;Integrated Security=True");

string st = Server.MapPath("Supplier files/");
if (licenseupld.HasFile)
{
try
{

licenseupld.SaveAs(st + licenseupld.FileName);
photoupld.SaveAs(st + photoupld.FileName);
string d1 = "~/Supplier Files/" + licenseupld.FileName;
string d2 = "~/Supplier Files/" + photoupld.FileName;
// SqlCommand cmd = new SqlCommand("insert into Supplier values('" + sid.Text + "','" + scn.Text + "','" + srn.Text + "','" + addr.Text + "','" + ddlsta.SelectedItem.Value+ "','" + ddlcit.SelectedItem.Value + "','" + pncd.Text.ToString() + "','" + scno.Text.ToString() + "','" + email.Text + "','" + d1 + "','" + d2 + "','" + achn.Text + "','" + acno.Text.ToString() + "','" + ddlactype.SelectedItem.Value + "','" + notb.Text + "','" + bc.Text.ToString() + "','" + bl.Text + "','" + ifsc.Text + "','" + sjd.Text + "','" + sh.Text + "')", con);
//cmd.CommandType = CommandType.Text;
SqlCommand cmd = new SqlCommand("supsp", con);
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.AddWithValue("@Supplier_Id", sid.Text);
cmd.Parameters.AddWithValue("@Supplier_Company_Name", scn.Text);
cmd.Parameters.AddWithValue("@Supplier_Rep_Name", srn.Text);
cmd.Parameters.AddWithValue("@Address", addr.Text);
cmd.Parameters.AddWithValue("@State", ddlsta.Text);
cmd.Parameters.AddWithValue("@City", ddlcit.Text);
cmd.Parameters.AddWithValue("@Pincode", pncd.Text.ToString());
cmd.Parameters.AddWithValue("@Contact_No", scno.Text.ToString());
cmd.Parameters.AddWithValue("@Email_Id", email.Text);
cmd.Parameters.AddWithValue("@License", d1);
cmd.Parameters.AddWithValue("@Photo", d2);
cmd.Parameters.AddWithValue("@Ac_Holder_Name", achn.Text);
cmd.Parameters.AddWithValue("@Ac_Number", acno.Text.ToString());
cmd.Parameters.AddWithValue("@Ac_Type", ddlactype.Text);
cmd.Parameters.AddWithValue("@Bank_Name", notb.Text);
cmd.Parameters.AddWithValue("@Branch_Code", bc.Text.ToString());
cmd.Parameters.AddWithValue("@Branch_Location", bl.Text);
cmd.Parameters.AddWithValue("@Ifsc_Code", ifsc.Text);
cmd.Parameters.AddWithValue("@Supplier_Joining_Date", sjd.Text.ToString());
cmd.Parameters.AddWithValue("@Supplier_History", sh.Text);
con.Open();
cmd.ExecuteNonQuery();
ScriptManager.RegisterStartupScript(this, this.GetType(),"alert","alert('Register Successfully');window.location ='Supplier.aspx';",true);

// Label21.Visible = true;
//Label21.Text = "Inserted Successfully";
con.Close();
//loadstores();
genarateautoid();
clearvalues();
// Page.Response.Redirect("Product.aspx");

}

catch (Exception ex)
{
throw ex;

// StatusLabel.Text = "Upload status: The file could not be uploaded. The following error occured: " + ex.Message;
}
}

}

解决方案

hy are you setting up parameters if your code doesn't even use them?
That code has a lot of problems:
1) It's wide open to SQLInjection: Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
2) You supply a bunch of parameters, but you don't use them in the INSERT statement.
3) You have written a stored procedure, but you don't try and use it.
4) Neither of your INSERTs is particularly safe anyway - always list the columns you want to INSERT to in the INSERT statement - that way any change in the parameter order or column definition doesn't break your code.
So, always use

INSERT INTO MyTable (ColumnName1, ColumnName2) VALUES @ParForCol1, @ParForCol2


And to call the SP:

using (SqlCommand cmd = new SqlCommand("MyStoredProcedure", con))
    {
    cmd.CommandType = CommandType.StoredProcedure;
    cmd.Parameters.AddWithValue("@Name", tbTextBoxWithNameIn.Text);
    cmd.ExecuteNonQuery();
    }


Some of your fieds are integer in your procedure. But the passed values are string.
For Example : pincode in INT and you are passing

cmd.Parameters.AddWithValue("@Pincode", pncd.Text.ToString());

Please check your datatypes...

I am pasting a sample code which will make your codes simple :


sql procedure:

create procedure insert_data(@val1 varchar(50),@val2 varchar(50),@val3 varchar(50))
as
insert into myTable(col1,col2,col3)values(@val1,@val2,@val3)


public class parameters
{
public string val1={get;set;}
public string val2={get;set;}
public string val3={get;set;}
}

public void YourMethodOrEvent()
{
parameters param=new parameters();
param.val1=txt1.Text;
param.val2=txt2.Text;
param.val3=txt3.Text;
InsertData(param);
}

public void InsertData(parameters param)
{
connection();
SqlCommand cmd = new SqlCommand("sp_insert_data", con);
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add("@val1", param.val1);
cmd.Parameters.Add("@val2", param.val2);
cmd.Parameters.Add("@val3", param.val3);
cmd.ExecuteNonQuery();
}


这篇关于如何使用存储过程从ASP.NET C#向SQL Server插入记录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发语言最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆