这个db访问代码好还是坏? [英] this db access code is good or bad?

查看:56
本文介绍了这个db访问代码好还是坏?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Data;
using System.Data.SqlClient;
using System.Windows.Forms;

namespace RoadSideAsisstance
{
    public class dbAccess
    {
        string connS = "";
        public dbAccess()
        {

            connS = @"Data Source=.\SQLEXPRESS;Initial Catalog=RoadSide;Integrated Security=True";//ttt
        }
        //Data Source=tttt-PC\SQLEXPRESS;Initial Catalog=RoadSide;Integrated Security=True

        public bool UPDATE(string sql)
        {

            SqlConnection conn = new SqlConnection(connS);
            SqlCommand cmd = new SqlCommand(sql, conn);

            try
            {
                conn.Open();
                cmd.ExecuteNonQuery();
                return true;
            }
            catch (Exception ex)
            {
                MessageBox.Show(ex.Message);
                return false;
            }
            finally
            {

                conn.Close();
                cmd.Dispose();
                conn.Dispose();
            }
        }

        public DataTable SELECT(string sql)
        {

            SqlDataAdapter da = new SqlDataAdapter(sql, connS);
            DataTable dt = new DataTable("dt");

            try
            {
                da.Fill(dt);
                return dt;
            }
            catch (Exception ex)
            {
                MessageBox.Show(ex.Message);
                return null;
            }
            finally
            {

                da.Dispose();
                dt.Dispose();
            }
        }
    }
}



=============== ================================================== =====================================


======================================================================================================

<pre lang="c#">private void btnAdd_Click(object sender, EventArgs e)
        {


            string sql = "INSERT INTO Area (AreaName,District_ID) VALUES ";
            sql += " ('" + txtArea.Text + "','" + lblDid.Text + "') ";

            //INSERT INTO RoadSide_Area (AreaName, District_ID) VALUES        ('""', 7)


            dbAccess objdb = new dbAccess();

            bool isoK = objdb.UPDATE(sql);

            if (isoK == true)
            {
                fillInfo();
                MessageBox.Show("insert is success");

            }
            else
            {
                MessageBox.Show("insert is not success");
            }
        }





================= ================================================== ==============







=================================================================================


private void Area_Load(object sender, EventArgs e)
       {
           fillDistricts();
           fillInfo();
       }

     

       private void cmbDistrict_SelectedIndexChanged(object sender, EventArgs e)
       {
           ComboBox cmbDstrict = (ComboBox)sender;
           lblDid.Text = cmbDstrict.SelectedValue.ToString();
       }









====== ================================================== ===============================



private void fillInfo ()

{

string sql =SELECT Aid,AreaName,District_ID FROM Area;



dbAccess objdb = new dbAccess();

DataTable dt = objdb.SELECT(sql);



grdArea.DataSource = dt;

//////////////////////////////////





/////////////////////



} b / b
$ void $ fill $ SELECT DistrictsName,Did FROM Districts;

dbAccess obj = new dbAccess();



//在数据库上执行以上quary />
DataTable dt = obj.SELECT(sql);



// map coloms

cmbDistrict.DisplayMember = dt.Columns [DistrictsName] .ToString();

cmbDistrict.ValueMember = dt.Columns [Did]。ToString();



//填充数据

cmbDistrict.DataSource = dt;

}





=======================================================================================

private void fillInfo()
{
string sql = "SELECT Aid,AreaName,District_ID FROM Area";

dbAccess objdb = new dbAccess();
DataTable dt = objdb.SELECT(sql);

grdArea.DataSource = dt;
//////////////////////////////////


/////////////////////

}

public void fillDistricts()
{

string sql = "SELECT DistrictsName,Did FROM Districts ";
dbAccess obj = new dbAccess();

// execute above quary on database
DataTable dt = obj.SELECT(sql);

// map coloms
cmbDistrict.DisplayMember = dt.Columns["DistrictsName"].ToString();
cmbDistrict.ValueMember = dt.Columns["Did"].ToString();

// fill data
cmbDistrict.DataSource = dt;
}

推荐答案

没有好或坏因为我们不知道这个代码是用来做什么的。



如果你正在寻找一个判断这个代码适用于高吞吐量企业的判断生产系统,总的来说,它吸收了3周死犀牛的屁股。这段代码有很多错误,它无法挽救。我不会在任何生产系统中使用该代码。



但是,如果这是为了教你自己如何使用DataGridView或其他一些数据绑定控件,那么完全可以服务。





说真的,如果我是你,我会从谷歌搜索SQL参数化查询和SQL注入攻击并阅读为什么你为构建SQL查询所做的事情是如此糟糕以及你可以做些什么。
There is no "good" or "bad" since we have no idea what this code is being used for.

If you're looking for a judgment on the fitness of this code for a high through-put enterprise production system, overall, it sucks the ass of a 3-week dead rhinoceros. There's so much wrong with that code that it isn't salvageable. I wouldn't use that code in ANY production system.

However, if this is for teaching yourself how to use a DataGridView or some other data-bound control, it's perfectly servicable.


Seriously, If I were you, I'd start by Googling for "SQL parameterized queries" and "SQL Injection Attack" and read up on why what you did to build the SQL query is so bad and what you can do about it.


这篇关于这个db访问代码好还是坏?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发语言最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆