使用asp.net中的类插入记录 [英] Insert record by using class in asp.net
本文介绍了使用asp.net中的类插入记录的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
嗨
任何人都可以告诉我,我是对的
我在asp.net 3.5开发了一个工资单软件
i使用sql 2005,我使用类来插入,更新,删除。代码是这样的
************
hi
Any one can tell me am i right or not
I developed a software of payroll in asp.net 3.5
i use sql 2005,i use class to insert,update,delete.Code is like that
************
public static SqlConnection con = new SqlConnection(@"Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\Business_Medical.mdf;Integrated Security=True;User Instance=True");
public static string Qurrystring;
public static void Save(string Qurrystring)
{
con.Close();
con.Open();
SqlCommand cmd=new SqlCommand(Qurrystring,con);
cmd.ExecuteNonQuery();
cmd.Dispose();
con.Close();
}
public static void Modify(string Qurrystring)
{
con.Close();
con.Open();
SqlCommand cmd = new SqlCommand(Qurrystring, con);
cmd.ExecuteReader();
cmd.Dispose();
con.Close();
}
我希望在我的.aspx文件中插入任何记录
when i want to insert any record that time i do in my .aspx file
Main.Qurrystring = "INSERT INTO CityMaster(code,ename)VALUES("+Convert.ToInt16(txtcode.Text)+","+ txtename.Text +");
Main.Save(Main.Qurrystring);
这是开发动态网站的正确方法。
Is that right way to develop dynamic website.
推荐答案
对不起,但你的方法是错误的。为什么?听说过 SQLInjection [ ^ ]?如果没有,请阅读这些文章:
如何:防止ASP.NET中的SQL注入 [ ^ ]
在他们阻止你之前停止SQL注入攻击 [ ^ ]
我建议你使用存储过程。 />
有关详细信息,请参阅此处:无法打开sql服务器连接 [ ^ ]
Sorry, but you're doing it in wrong way. Why? Have ever heard about SQLInjection[^]? If not, please read these articles:
How To: Protect From SQL Injection in ASP.NET[^]
Stop SQL Injection Attacks Before They Stop You[^]
I would suggest you to use stored procedures.
For further information see here: could not open sql server connection[^]
使用此方法避免SQL注入
Use this method to avoid from SQL injection
public static void Save()
{
String Query=("INSERT INTO CityMaster(code,ename)VALUES(@code,@ename");
SqlConnection Connection=new SqlConnection("Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\Business_Medical.mdf;Integrated Security=True;User Instance=True");
SqlCommand Command = new SqlCommand(Query, Connection);
Command.CommandTimeout = 30;
Command.CommandType = CommandType.Text;
Command.Parameters.AddWithValue("@code", txtcode.Text);//This is Parameter
Command.Parameters.AddWithValue("@ename", txtename.Text);
Command.ExecuteNonQuery();
Connection.Close();
}
谢谢但是如何使用存储过程以及为什么?你有任何示例项目链接吗?
thanks but how to use stored procedures and why? do u have any example project link?
这篇关于使用asp.net中的类插入记录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
