在ms sql 2005中插入值 [英] to insert value in ms sql 2005
本文介绍了在ms sql 2005中插入值的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我已使用此代码在数据库中插入值,但是它不起作用....
谁能帮我!
I have used this code to insert value in the database , but it is not working....
can any one help me!!!!!
private void savbtn_Click(object sender, EventArgs e)
{
try
{
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["WindowsFormsApplication1.Properties.Settings.schoolConnectionString"].ConnectionString);
con.Open();
SqlCommand com = new SqlCommand();
com.Connection = con;
com.CommandText = "insert into Registration values('" + textBox1.Text + "','" + maskedTextBox1.Text + "','" + maskedTextBox2.Text + "','" + textBox2.Text + "','" + textBox3.Text + "','" + textBox4.Text + "','" + textBox5.Text + "','" + textBox6.Text + "','" + textBox7.Text + "','" + maskedTextBox3.Text + "','" + textBox8.Text + "','" + textBox9.Text + "'," + textBox10.Text + ")";
com.ExecuteNonQuery();
MessageBox.Show("Record is saved");
autoNo();
maskedTextBox2.Clear();
textBox2.Clear();
textBox3.Clear();
textBox4.Clear();
textBox5.Clear();
textBox6.Clear();
textBox7.Clear();
maskedTextBox3.Clear();
textBox8.Clear();
textBox10.Clear();
}
catch
{
MessageBox.Show("error:");
}
}
推荐答案
首先,通过文本向SQL插入值并不安全. 最好改用 SqlParameter 类将值放入DB.
Hi first of all , it''s not safety to insert a value to SQL via text.
It would be better to use SqlParameter class instead, to put values to DB.
try
{
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["WindowsFormsApplication1.Properties.Settings.schoolConnectionString"].ConnectionString);
con.Open();
SqlCommand com = new SqlCommand();
com.Connection = con;
com.CommandText = "insert into Registration(Name,Id) values(@p1,@p2 ...);
var p1=new SqlParameter("@p1", SqlDbType.VarChar);
p1.Value="Hello";
com.Parameters.Add(p1);
var p2=new SqlParameter("@p2", SqlDbType.Int);
p2.Value=78;
com.Parameters.Add(p2);
com.ExecuteNonQuery();
MessageBox.Show("Record is saved");
autoNo();
maskedTextBox2.Clear();
textBox2.Clear();
textBox3.Clear();
textBox4.Clear();
textBox5.Clear();
textBox6.Clear();
textBox7.Clear();
maskedTextBox3.Clear();
textBox8.Clear();
textBox10.Clear();
}
catch
{
MessageBox.Show("error:");
}
第二个想法,请在此处阅读有关ADO.NET的信息,它将对您有所帮助.
看看这些:
MSDN:ADO.NET [ MSDN:使用ADO.NET访问数据 [ ^ ]
此外,请在此处查找参数化查询及其用于避免SQL注入的用法(这很可能是您现在编码的方式!):
MSDN:配置参数和参数数据类型(ADO.NET) [ MSDN:DataAdapter参数(ADO.NET) [ MSDN:SqlCommand.Parameters属性 [
Second thought, read about ADO.NET here and it will help you.
Look at these:
MSDN: ADO.NET[^]
MSDN: Accessing Data with ADO.NET[^]
Further, look here for parameterized query and it''s usage to avoid SQL Injection (which is highly possible the way you have coded right now!):
MSDN: Configuring Parameters and Parameter Data Types (ADO.NET)[^]
MSDN: DataAdapter Parameters (ADO.NET)[^]
MSDN: SqlCommand.Parameters Property [^]
您没有在"+ textBox10.Text +"中提到",请放在"之内,例如"+"TextBox10.Text +"''
我认为它的工作
you r not mentioned '' '' in " + textBox10.Text + " please keep inside '' '' like '' " +textBox10.Text+"''
i think its work
这篇关于在ms sql 2005中插入值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
