为什么我们需要SqlCeCommand.Parameters.AddWithValue（）插入值？ [英] Why do we need SqlCeCommand.Parameters.AddWithValue() to Insert a value?

问题描述

我有一个使用SQL精简3.5作为其嵌入式数据库一个​​C＃WPF桌面应用程序。
在插入功能有

I have a C# WPF desktop application which uses SQL Compact 3.5 as its embedded database. In the insertion function it has

using (SqlCeCommand com = new SqlCeCommand(
    "INSERT INTO FooTable VALUES(@num)", con))
{
    com.Parameters.AddWithValue("@num", num);
    com.ExecuteNonQuery();
}

我没有得到什么com.Parameters.AddWithValue（）约为。我注释掉这行代码和插入功能运行完全一样。我想的ExecuteNonQuery进行插入，所以这是什么东西Parameters.AddWithValue？

I don't get what the com.Parameters.AddWithValue() is about. I commented out this line of code and the insertion function run exactly the same. I thought ExecuteNonQuery carries out the insertion, so what is this Parameters.AddWithValue thing?

推荐答案

@num 是一个TSQL的参数。如果没有 AddWithValue（@num，NUM）这既不是定义也没有赋值。它根本不会省略该参数工作，即使它：哪里会从让你选择的值（ NUM ）？绝对的的最的它可以做将是使用空这是不是你的意图;更典型它只会无法执行（你确定你是不是吞咽异常的地方？）。

@num is a TSQL parameter. Without AddWithValue(@num, num) this is neither defined nor assigned a value. It simply will not work with the parameter omitted, and even if it did: where would it get your chosen value (num) from? The absolute best it could do would be to use null which was not your intent; more typically it would simply fail to execute (are you sure you aren't swallowing an exception somewhere?).

请注意，并置值转换成字符串本身不建议;它会导致SQL注入风险，并且会降低性能。（计划的再利用;不知道这同样适用于行政长官，虽然 - CE很可能会与缓存计划打扰）

Note that concatenating the value into the string itself is not recommended; it would cause a SQL injection risk, and can reduce performance (plan re-use; not sure this applies to CE though - CE might very well not bother with cached plans).

这篇关于为什么我们需要SqlCeCommand.Parameters.AddWithValue（）插入值？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！