按原样插入文本区域 [英] insert text area as it is

查看:63
本文介绍了按原样插入文本区域的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我无法将多行文本框插入数据库...我想按原样插入它

 SqlConnection con =  new  SqlConnection(ConfigurationManager.ConnectionStrings [  connection]。ConnectionString); 
 SqlCommand com =  new  SqlCommand(); 
 con.Open(); 
 com.Connection = con; 
  string  text = TextBox1.Text.ToString(); 
 
  string  cmd1 =  插入student_note([note])值( + text +  )其中student_id =' + Session [  student_id] +  '和course_id =' +会话[  course_id] +  '; 
 SqlCommand cmd1x =  new  SqlCommand(cmd1,con); 
 cmd1x.ExecuteNonQuery(); 
 table3.Visible =  false ; 
 table1.Visible =  true ;

解决方案

不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。请改用参数化查询。这也将解决你的问题......



<前lang =c#> 字符串 cmd1 = INSERT INTO student_note([note])VALUES(@NOTE)WHERE student_id = @ SID AND course_id = @ CID< /跨度>;
SqlCommand cmd1x = new SqlCommand(cmd1,con);
cmd1x.Parameters.AddWithValue( @ SID,会话[ student_id]);
cmd1x.Parameters.AddWithValue( @ CID,会话[ course_id]);
cmd1x.Parameters.AddWithValue( @ NOTE,TextBox1.Text);
cmd1x.ExecuteNonQuery();







[edit]

我必须睡着了!

你不要在INSERT语句中使用WHERE子句 - 它会添加一个新行,而不是过滤现有的行。您可以使用带有UPDATE的WHERE,但是如果要添加新行,则将上面的SQL更改为:

INSERT INTO student_note([note],student_id,course_id)VALUES(@NOTE, @SID,@ CID);

- OriginalGriff

[/ edit]

[edit2]忘了逗号:doh: - OriginalGriff [ / EDIT2]


i can''t insert multiline textbox into database...i want to insert it as it is 

SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["connection"].ConnectionString);
           SqlCommand com = new SqlCommand();
           con.Open();
           com.Connection = con;
           string text = TextBox1.Text.ToString();

           string cmd1 = "insert into student_note ([note]) values("+text+") where student_id='" + Session["student_id"] + "' and course_id='" + Session["course_id"] + "'";
           SqlCommand cmd1x = new SqlCommand(cmd1, con);
           cmd1x.ExecuteNonQuery();
           table3.Visible = false;
           table1.Visible = true;

解决方案

Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead. That will also solve your problem...

string cmd1 = "INSERT INTO student_note ([note]) VALUES(@NOTE) WHERE student_id=@SID AND course_id=@CID";
SqlCommand cmd1x = new SqlCommand(cmd1, con);
cmd1x.Parameters.AddWithValue("@SID", Session["student_id"]);
cmd1x.Parameters.AddWithValue("@CID", Session["course_id"]);
cmd1x.Parameters.AddWithValue("@NOTE", TextBox1.Text);
cmd1x.ExecuteNonQuery();




[edit]
I must be part asleep!
You don''t use a WHERE clause on an INSERT statement - it adds a new row, not filters existing ones. You could use a WHERE with an UPDATE, but if you want to add a new row then change your SQL above to:
INSERT INTO student_note ([note], student_id, course_id) VALUES(@NOTE, @SID, @CID)";
- OriginalGriff
[/edit]
[edit2]Forgot a comma :doh: - OriginalGriff[/edit2]


这篇关于按原样插入文本区域的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发语言最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆