如何在运行时将动态生成的文本框的数据插入数据库? [英] How to insert data of dynamically generated textbox into databae at runtime?
问题描述
我正在生成动态文本框,我有2张桌子:
1.动态
2. empdetail
这里empdetail是一个主表,动态生成的列插入到该表中,之后我还想将数据存储在数据库中。但问题是当我在数据库中保存动态文本框值时,该值将在数据库中插入null我无法看到动态文本框值...
请帮助我来解决我的问题。我的代码如下......我的动态TextBox id =TxtDynamic,问题出在Button3查询上。
I am generating dynamic textbox for that I have 2 tables:
1. dynamic
2. empdetail
Here empdetail is a master table and dynamically generated column is inserted in that table and after that I also want to store data in database. But the problem is when i save the dynamic textbox value in database, the value will be insert null in database i cant see the dynamic textbox value...
Pls help me to solve my problem. My code is below...... My Dynamic TextBox id is="TxtDynamic" and The problem is on Button3 query.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Data.Sql;
using System.Data;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Text;
using System.Drawing;
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void Button1_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection();
con.ConnectionString = "Data Source=vaio\\sqlexpress;Initial Catalog=emp;User ID=sa;Password=administrator";
con.Open();
string query = "insert into empdetail (id,name) values (@id,@name)";
using (SqlCommand cmd = new SqlCommand(query, con))
{
cmd.Parameters.AddWithValue("@id", txtId.Text);
cmd.Parameters.AddWithValue("@name", txtName.Text);
txtId.Text = "";
txtName.Text = "";
cmd.ExecuteNonQuery();
}
con.Close();
}
static int i;
int j;
protected void Button2_Click(object sender, EventArgs e)
{
Button3.Visible = true;
i++;
for (j = 0; j <= i-1; j++)
{
Label lbl = new Label();
lbl.ID = "dlbl";
lbl.Text = TextBox1.Text;
Panel1.Controls.Add(lbl);
TextBox tb = new TextBox();
tb.ID = "TxtDynamic"+i;
Panel1.Controls.Add(tb);
}
SqlConnection con = new SqlConnection();
con.ConnectionString = "Data Source=vaio\\sqlexpress;Initial Catalog=emp;User ID=sa;Password=administrator";
string query = "insert into dynamic (controlname,size,datatype) values (@controlname,@size,@datatype)";
con.Open();
using (SqlCommand cmd = new SqlCommand(query, con))
{
cmd.Parameters.AddWithValue("@controlname", TextBox1.Text);
cmd.Parameters.AddWithValue("@size", TextBox2.Text);
cmd.Parameters.AddWithValue("@datatype", DropDownList1.SelectedValue);
TextBox2.Text = "";
// DropDownList1.SelectedValue = null;
cmd.ExecuteNonQuery();
}
string qry = "alter table empdetail add " +TextBox1.Text+ " " +DropDownList1.SelectedValue+ " null";
SqlCommand cd = new SqlCommand(qry, con);
cd.ExecuteNonQuery();
con.Close();
}
protected void RadioButton1_CheckedChanged(object sender, EventArgs e)
{
if (RadioButton1.Checked)
{
Label3.Visible = true;
Label4.Visible = true;
Label5.Visible = true;
TextBox1.Visible = true;
TextBox2.Visible = true;
DropDownList1.Visible = true;
Button2.Visible = true;
Button3.Visible = false;
}
else
{
Label3.Visible = false;
Label4.Visible = false;
Label5.Visible = false;
TextBox1.Visible = false;
TextBox2.Visible = false;
DropDownList1.Visible = false;
Button2.Visible = false;
Button3.Visible = false;
}
}
protected void Button3_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection();
con.ConnectionString = "Data Source=vaio\\sqlexpress;Initial Catalog=emp;User ID=sa;Password=administrator";
con.Open();
//TextBox tb = (TextBox)Panel1.FindControl("TxtDynamic" + i.ToString());
string query = "update empdetail set " + TextBox1.Text + " = '"+ Panel1.FindControl("TxtDynamic1" + i.ToString()) + "' where id=(select Max(id) from empdetail )";
SqlCommand cmd = new SqlCommand(query, con);
cmd.ExecuteNonQuery();
con.Close();
}
推荐答案
从一开始你的方法就错了。您永远不应该通过连接从UI获取的字符串来创建查询。相反,您需要使用参数化语句。请参阅: http://msdn.microsoft.com/en-us/library/ff648339.aspx [ ^ ]。
如果你这样做,你的应用程序完全容易受到众所周知的漏洞的攻击: SQL注入。用户可以在UI中编写任何内容,包括一些SQL片段。你明白了吗?具体方法如下: http://xkcd.com/327 [ ^ ]。
请查看我过去的答案:
EROR IN com.ExecuteNonQuery(); [ ^ ],
名称未显示在名称中? [ ^ ]。
-SA
Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use parametrized statements. Please see: http://msdn.microsoft.com/en-us/library/ff648339.aspx[^].
If you do it your way, you make your application totally vulnerable to a well-known exploit: SQL Injection. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how: http://xkcd.com/327[^].
Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();[^],
hi name is not displaying in name?[^].
—SA
这篇关于如何在运行时将动态生成的文本框的数据插入数据库?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!