如何将数据插入到SQL服务器 [英] How to insert data into SQL Server

查看:139
本文介绍了如何将数据插入到SQL服务器的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

在什么我的编码问题?我不能插入数据,MS SQL ..我使用C#作为前端和MS SQL数据库作为... 

  NAME = tbName.Text;
用户id = tbStaffId.Text;
idDepart = int.Parse(cbDepart.SelectedValue.ToString());字符串saveStaff =INSERT INTO tbl_staff(staffName,用户ID,idDepartment)+
                   VALUES('+名字+,+用户id +,+ idDepart +');;的SqlCommand querySaveStaff =新的SqlCommand(saveStaff);尝试
{
querySaveStaff.ExecuteNonQuery();
}
抓住
{
//错误时保存数据的MessageBox.show(错误,以节省数据库);
openCon.Close();
光标= Cursors.Arrow;
}


解决方案

您必须设置Command对象的连接属性,并使用parametersized查询,而不是硬codeD SQL避免的 SQL注入

 使用(SqlConnection的openCon =新的SqlConnection(your_connection_String))
    {
      字符串saveStaff =INSERT INTO tbl_staff(staffName,用户ID,idDepartment)VALUES(@ staffName,@用户ID,@ idDepartment);      使用(的SqlCommand querySaveStaff =新的SqlCommand(saveStaff))
       {
         querySaveStaff.Connection = openCon;
         querySaveStaff.Parameters.Add(@ staffName,SqlDbType.VarChar,30).value的=名称;
         .....
         openCon.Open();
       }
     }

What the problem on my coding? I cannot insert data to ms sql.. I'm using C# as front end and MS SQL as databases...

name = tbName.Text;
userId = tbStaffId.Text;
idDepart = int.Parse(cbDepart.SelectedValue.ToString());

string saveStaff = "INSERT into tbl_staff (staffName,userID,idDepartment) " +
                   " VALUES ('" + name + "', '" + userId +"', '" + idDepart + "');";

SqlCommand querySaveStaff = new SqlCommand(saveStaff);

try
{
querySaveStaff.ExecuteNonQuery();
}
catch
{
//Error when save data

MessageBox.Show("Error to save on database");
openCon.Close();
Cursor = Cursors.Arrow;
}

解决方案

You have to set Connection property of Command object and use parametersized query instead of hardcoded SQL to avoid SQL Injection.

 using(SqlConnection openCon=new SqlConnection("your_connection_String"))
    {
      string saveStaff = "INSERT into tbl_staff (staffName,userID,idDepartment) VALUES (@staffName,@userID,@idDepartment)";

      using(SqlCommand querySaveStaff = new SqlCommand(saveStaff))
       {
         querySaveStaff.Connection=openCon;
         querySaveStaff.Parameters.Add("@staffName",SqlDbType.VarChar,30).Value=name;
         .....
         openCon.Open();


       }
     }

这篇关于如何将数据插入到SQL服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
C#/.NET最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆