如何在运行时将动态生成的文本框的数据插入数据库？ [英] How to insert data of dynamically generated textbox into databae at runtime?

问题描述

我正在生成动态文本框，我有2张桌子：





1.动态

2. empdetail



这里empdetail是一个主表，动态生成的列插入到该表中，之后我还想将数据存储在数据库中。但问题是当我在数据库中保存动态文本框值时，该值将在数据库中插入null我无法看到动态文本框值...



请帮助我来解决我的问题。我的代码如下......我的动态TextBox id =TxtDynamic，问题出在Button3查询上。

I am generating dynamic textbox for that I have 2 tables:


1. dynamic
2. empdetail

Here empdetail is a master table and dynamically generated column is inserted in that table and after that I also want to store data in database. But the problem is when i save the dynamic textbox value in database, the value will be insert null in database i cant see the dynamic textbox value...

Pls help me to solve my problem. My code is below...... My Dynamic TextBox id is="TxtDynamic" and The problem is on Button3 query.

               using System;
using System.Collections.Generic;
using System.Linq;
using System.Data.Sql;
using System.Data;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Text;
using System.Drawing;

public partial class _Default : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }
    protected void Button1_Click(object sender, EventArgs e)
    {
        SqlConnection con = new SqlConnection();
        con.ConnectionString = "Data Source=vaio\\sqlexpress;Initial Catalog=emp;User ID=sa;Password=administrator";
        con.Open();
        string query = "insert into empdetail (id,name) values (@id,@name)";
        using (SqlCommand cmd = new SqlCommand(query, con))
        {
            cmd.Parameters.AddWithValue("@id", txtId.Text);
            cmd.Parameters.AddWithValue("@name", txtName.Text);

            txtId.Text = "";
            txtName.Text = "";
            cmd.ExecuteNonQuery();
        }
        con.Close();
    }

   
    static int i;
    int j;
    protected void Button2_Click(object sender, EventArgs e)
    {
       
        Button3.Visible = true;
       i++;
        for (j = 0; j <= i-1; j++)
        {
            Label lbl = new Label();
            lbl.ID = "dlbl";
            lbl.Text = TextBox1.Text;
            Panel1.Controls.Add(lbl);
            TextBox tb = new TextBox();
            tb.ID = "TxtDynamic"+i;
            Panel1.Controls.Add(tb); 
        }
        SqlConnection con = new SqlConnection();
        con.ConnectionString = "Data Source=vaio\\sqlexpress;Initial Catalog=emp;User ID=sa;Password=administrator";
        string query = "insert into dynamic (controlname,size,datatype) values (@controlname,@size,@datatype)";
        con.Open();
        using (SqlCommand cmd = new SqlCommand(query, con))
        {
            cmd.Parameters.AddWithValue("@controlname", TextBox1.Text);
            cmd.Parameters.AddWithValue("@size", TextBox2.Text);
            cmd.Parameters.AddWithValue("@datatype", DropDownList1.SelectedValue);

            
            TextBox2.Text = "";
           // DropDownList1.SelectedValue = null;
            cmd.ExecuteNonQuery();
        }
        string qry = "alter table empdetail add " +TextBox1.Text+ " " +DropDownList1.SelectedValue+ " null";
        
        SqlCommand cd = new SqlCommand(qry, con);
        
            
            cd.ExecuteNonQuery();
        
        con.Close();
        
    }
    protected void RadioButton1_CheckedChanged(object sender, EventArgs e)
    {
        if (RadioButton1.Checked)
        {
            Label3.Visible = true;
            Label4.Visible = true;
            Label5.Visible = true;
            TextBox1.Visible = true;
            TextBox2.Visible = true;
            DropDownList1.Visible = true;
            Button2.Visible = true;
            Button3.Visible = false;
        }
        else
        {
            Label3.Visible = false;
            Label4.Visible = false;
            Label5.Visible = false;
            TextBox1.Visible = false;
            TextBox2.Visible = false;
            DropDownList1.Visible = false;
            Button2.Visible = false;
            Button3.Visible = false;
        }
    }
  protected void Button3_Click(object sender, EventArgs e)
{

    SqlConnection con = new SqlConnection();
    con.ConnectionString = "Data Source=vaio\\sqlexpress;Initial Catalog=emp;User ID=sa;Password=administrator";
    con.Open();
    //TextBox tb = (TextBox)Panel1.FindControl("TxtDynamic" + i.ToString());

    string query = "update empdetail set " + TextBox1.Text + " = '"+ Panel1.FindControl("TxtDynamic1" + i.ToString()) + "' where id=(select Max(id) from empdetail )";

    SqlCommand cmd = new SqlCommand(query, con);
    cmd.ExecuteNonQuery();        
    con.Close();
}

推荐答案

从一开始你的方法就错了。您永远不应该通过连接从UI获取的字符串来创建查询。相反，您需要使用参数化语句。请参阅： http://msdn.microsoft.com/en-us/library/ff648339.aspx [ ^ ]。



如果你这样做，你的应用程序完全容易受到众所周知的漏洞的攻击： SQL注入。用户可以在UI中编写任何内容，包括一些SQL片段。你明白了吗？具体方法如下： http://xkcd.com/327 [ ^ ]。



请查看我过去的答案：

EROR IN com.ExecuteNonQuery（）; [ ^ ]，

名称未显示在名称中？ [ ^ ]。

-SA

Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use parametrized statements. Please see: http://msdn.microsoft.com/en-us/library/ff648339.aspx[^].

If you do it your way, you make your application totally vulnerable to a well-known exploit: SQL Injection. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how: http://xkcd.com/327[^].

Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();[^],
hi name is not displaying in name?[^].

—SA

这篇关于如何在运行时将动态生成的文本框的数据插入数据库？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！