如何从前端将数据存储在数据库(sql 2005)中? [英] How can store data in database(sql 2005) from front end?

问题描述

亲爱的，

我有一个列名称为Amount(数据类型为money)的数据库.现在我需要从前端(.net-windows应用程序)向该列存储一些值.
请给我编码..

Dear,

I have a database with the column name Amount(datatype is money).Now i need to store some value to that column from front end(.net-windows application).
Kindly give me the coding..

con.Open();
SqlCommand cmd = new SqlCommand("insert into ebbill values(''"+txtName.Text+"'',''"+txtAmount.Text+"'')",con);
cmd.ExecuteNonQuery();
con.Close();
MessageBox.Show("Saved Successfully","Information",MessageBoxButtons.OK,MessageBoxIcon.Information);
load();

在这里，在插入查询中，我会插入名称和金额.在数据库中，我使用数据类型MONEY作为金额列.但是，我执行此行时，出现错误，我无法成功..所以请给我解决方案.

谢谢和问候

Viswanathan.M

Here in insert query i insert name and amount.In database i use datatype MONEY for amount column.But noe i execute this line ,i get error,i can''t succeed.. so pls give me the solution.

Thanks and regards

Viswanathan.M

推荐答案

不要那样做-连接字符串不是一个好主意，它可能导致各种问题，至少是一个问题.意外或故意的SQL注入攻击.
而是先将您的textBox解析为Decimal变量，然后使用Parameterized Query.此外，始终使用字段名称-如果不这样做，则数据库更改可能会导致各种问题:

Don''t do it that way - concatenating strings is a bad idea, it can lead to all sorts of problems, not the least being an accidental or deliberate SQL Injection attack.
Instead, Parse your textBox into a Decimal variable first, and then use Parameterised Query. In addition, allways name your fields - if you don''t then database changes can cause all sorts of problems:

Decimal amt;
if (Decimal.TryParse(txtAmount.Text, out amt))
    {
    con.Open();
    SqlCommand cmd = new SqlCommand("INSERT INTO ebbill (name, Amount) VALUES (@NM, @AM)", con);
    cmd.Parameters.AddWithValue("@NM", txtName.Text);
    cmd.Parameters.AddWithValue("@AM", amt);
    cmd.ExecuteNonQuery();
    con.Close();
    }

更改为该问题应该可以对您的问题进行排序，这很可能是这些问题的组合.

Changing to this should sort your problem, which is likely to be a combination of these problems.

您可以使用以下方法:

you can use this:

con.Open();
string txtname=txtName.Text;
double txtamount=Convert.ToDouble(txtAmount.Text);
SqlCommand cmd = new SqlCommand("insert into ebbill values(''"+txtname+"'',''"+txtamount+"'')",con);
cmd.ExecuteNonQuery();
con.Close();
MessageBox.Show("Saved Successfully","Information",MessageBoxButtons.OK,MessageBoxIcon.Information);
load();

希望这会有所帮助:)
但是请记住，始终使用参数化查询来避免sql注入攻击.
对于进一步的查询，请在这里评论！！！

hope this helps :)
But remember always use parametrized queries to avoid sql-injection attacks.
for further queries comment here!!

OriginalGriff为您提供了使用参数化查询来保存数据以删除sql注入的完美建议.除了他的回答，我仅向您推荐一些Standard MSDN.链接以获取更多详细信息.
在那里看看
SqlCommand.Parameters属性 [参数和参数数据类型 [

OriginalGriff gives you a perfect suggestion to use Parametrized query to save data to remove sql injection In addition to his answer I am just going to refer you some Standard MSDN links for getting more details.
Have a look there
SqlCommand.Parameters Property [^]
Parameters and Parameter Data Types[^]

这篇关于如何从前端将数据存储在数据库(sql 2005)中?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！