0

我有 2 张桌子,比如....

在这里,管理员根据课程和学期将科目分配给院系......

1] 分配_主题

Faculty_Id      varchar(20)     
Course_Id       varchar(20)     
Semester        varchar(20)     
Subject_Id      varchar(20)     
Subject_Name    varchar(50)     
Time            varchar(50)

INSERT INTO Assign_Subjects Values("F1","BCA",2,"DS","Data Structure","10-11")
INSERT INTO Assign_Subjects Values("F1","BCA",2,"C","C Programming","11-12")
INSERT INTO Assign_Subjects Values("F1","BCA",1,"QB","Q Basic","1-2")
INSERT INTO Assign_Subjects Values("F2","BCA",3,"SS","System Structure","10-11")
INSERT INTO Assign_Subjects Values("F2","BCA",3,"AC","Accountancy","11-12")

在这里,教师为学生插入标记

2]考试结果

Result_Id           int(Auto no and PK)
Enroll_Number       varchar(50) Checked
Student_Name        varchar(100)    Checked
Course_Id           varchar(50) Checked
Semester            varchar(50) Checked
Subject_Id          varchar(50) Checked
Subject_Name        varchar(50) Checked
MarksObtained       numeric(18, 0)  Checked
Exam_Type           varchar(50) Checked

现在我的问题是如何在单击单按钮时将所有分配的科目标记插入Exam_Result中

我给出了大致的想法我想要的是....

FillResult.aspx中,我希望所有主题名称带有由管理员和按钮(onClick 事件)分配的文本框(或任何其他可能的方式,如 gridview/dalalist 等)来填充标记......

注意:主题显示为根据分配而不是固定数量的主题,它可能是 3 或 5 或更多

所以,我怎么可能这样做......??

通过gridview,编辑模板或存储过程????

欢迎所有的回答......

4

1 回答 1

0

如果您不知道要输入分数的科目的确切编号 - 我们应该如何生成查询来做到这一点?

始终向您展示如何防止 SQL 注入攻击,您将 SQL 放入存储过程中:

create PROCEDURE [dbo].[pr_GetAssignedSubjectsByFacultyIdAndSemester]
@FacultyID int,
@Semester nvarchar(MAX)
AS
BEGIN
SET NOCOUNT ON;
SELECT [Faculty], [Subjects],[CreatedBy],[CreatedDate],[ModifiedBy],[ModifiedDate]
 FROM [dbo].[tblNotSure]
WHERE [FacultyID] = @FacultyID
AND [Semester] = @Semester
AND [IsDeleted] = 0
END

然后在代码中我们调用存储过程,注意参数化命令,这可以防止 SQL 注入攻击。例如,假设我们在学期 ddl/文本框中键入(或使用 FireBug 编辑元素值) 1 UNION SELECT * FROM Master.Users - 执行此临时 SQL 可以返回 SQL 用户帐户列表,但通过参数化命令传递避免问题:

public static aClassCollection GetAssignedSubjectsByFacultyIdAndSemester(int facultyId, string semester)
{
var newClassCollection = new aClassCollection();
    using (var connection = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ConnectionString))
    {
        using (var command = new SqlCommand("pr_GetAssignedSubjectsByFacultyIdAndSemester", connection))
        {
            try
            {
                command.CommandType = CommandType.StoredProcedure;
                command.Parameters.AddWithValue("@facultyId", facultyId);
                command.Parameters.AddWithValue("@semester", semester);
                connection.Open();
                SqlDataReader dr = command.ExecuteReader();
                while (dr.Read())
                {
                    newClassCollection.Add(new Class(){vals = dr["vals"].ToString()});
                }
            }
            catch (SqlException sqlEx)
            {
             //at the very least log the error
            }
            finally
            {
             //This isn't needed as we're using the USING statement which is deterministic                    finalisation, but I put it here (in this answer) to explain the Using...
                connection.Close();
            }
        }
    }

    return newClassCollection;
}
于 2012-05-02T06:42:43.683 回答