在使用MVC标准时,这是使用“控制器”的不好方法吗? [英] Is this a bad way to use the 'Controller' when using the MVC standard?
问题描述
我在下面的控制器方法中有一些业务逻辑。我仍在尝试理解MVC,我认为这可能是错误的。我在哪里将说明放在下面的方法中?
I''ve got some ''business logic'' in the controller method below. I am still trying to understand MVC and I think this is probably really wrong. Where would I put the instructions in the method below?
[HttpPost]
public ActionResult Create(FormCollection collection, Auction auction)
{
SqlCommand command = new SqlCommand("INSERT INTO auctions (title, description, start_date, finish_date) VALUES ('"+ auction.Title +"', '"+ auction.Description +"', GETDATE(), '" + auction.EndTime + "')", connection);
SqlDataAdapter da = new SqlDataAdapter(command);
DataSet ds = new DataSet();
connection.Open();
da.Fill(ds, "auctions");
connection.Close();
return View(auction);
}
拍卖模特类:
The Auction model class:
public class Auction
{
public long Id { get; set; }
public string Title { get; set; }
public string Description { get; set; }
public DateTime StartTime { get; set; }
public DateTime EndTime { get; set; }
public void StoreNewAuction()
{
//put the connect/store junk here instead and call function from controller instead?
}
}
我想我应该为Auctions模型添加一个名为StoreNewAuction的方法()执行所有连接并存储到数据库中。然后我会调用上面控制器中的方法。
I think I should add a method to the Auctions model called StoreNewAuction() that does all the connecting and storing into the database. Then I would call the method in the controller above.
推荐答案
等一下。在这段代码中,绝对不可接受的第一件事是你通过串联使用一些用户输入来组合一个SQL语句。
首先,重复的字符串连接是错误的,因为字符串是 immutable (您需要使用StringBuilder或字符串。格式,但在这种情况下,你不应该使用任何组合字符串 。这是非常危险的,因为它使应用程序打开一个众所周知的漏洞称为 SQL注入:
http://en.wikipedia .org / wiki / SQL_injection [ ^ ]。
本文还解释了您应该使用的内容:参数化语句。
有关详细信息,请参阅我之前的回答:你的名字没有显示名称? [ ^ ]。
保持安全,
-SA
Hold on. First thing which is absolutely unacceptable in this code is that you compose an SQL statement by concatenation of strings, using some user input via the UI.
First, repeated string concatenation is bad because a string is immutable (you would need to useStringBuilderorstring.Format, but in this case you should not use any composed string at all. This is extremely dangerous, because it makes the application open to a well-known exploit called SQL injection:
http://en.wikipedia.org/wiki/SQL_injection[^].
This article also explain what should you use instead: parametrized statements.
For further detail, please see my past answer: hi name is not displaying in name?[^].
Stay safe,
—SA
是的,你完全正确!
你的代码气味=)这是一个不好的风格控制器内有一些BL。
关注建议。
我可以建议你将你的想法分成不同的轮胎。
所以结果它可能是3层(BL,DAL和你的WEB)。
作为DAL的核心,将EF和Repository模式结合使用会很方便UnityOfWork。
因此它可能是这样的:
Yes you are completely right!
Your code smell =) This is a bad style to perform some BL inside your Controller.
As concerns advises.
I can recommend you to separate your idea to differ tires.
So as a result it might be 3 tiers (BL, DAL, and your WEB).
As a core of a DAL , it would be convenient to use EF and Repository pattern with conjunction of UnityOfWork.
So as a result it could be something like that:
[HttpPost]
public ActionResult Create(FormCollection collection, Auction auction)
{
BL.DVTire bl=new BL.DVTire();
if(bl.Validate(auction))
{
using(var uow=Dal.UnityOfWork())
{
using(var auctionRepo=Dal.RepoFactory.Create<Auction>(uow))
{
auctionRepo.Insert(auction);
uow.Commit();
}
}
}
}
</auction>
当然这不是一本圣经,你可能会选择另一种变体=)
但请考虑这个例子,比如起点=)
Of course this is not a bible, and you might choose another variant =)
But consider this example like starting point =)
这篇关于在使用MVC标准时,这是使用“控制器”的不好方法吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
