c# - 将 C# 字符串转换为与 Oracle 日期格式匹配的日期类型

Question

我正在尝试编写通过 C#/ASP.NET 程序执行的 Oracle SQL 查询，以将数据插入 Oracle Db。我在查找 C# 方法时遇到问题，该方法将转换字符串（来自格式为 2012 年 11 月 11 日的表单的用户输入）以匹配 Oracle 的日期数据类型。我尝试通过Convert.ToDateTime(object) 方法进行转换，但没有成功。

这是我的代码：

<%@ Page Language="C#" Debug="true" %>
<%@ Import Namespace="System.Data" %>
<%@ Import Namespace="System.Data.OleDb" %>
<script runat="server">

   void Page_Load(Object sender, EventArgs e) {

       //Get user's input form form fields
       var saleID = Convert.ToInt32(Request.Form["saleID_aspx"]);
       var custID = Convert.ToInt32(Request.Form["custID_aspx"]);
       var agentID = Convert.ToInt32(Request.Form["agentID_aspx"]);
       var saleDate = Convert.ToDateTime("11/11/2012"); //Originally Request.Form["saleDate_aspx"]
       var homeID = Convert.ToInt32(Request.Form["homeID_aspx"]);
       var actualAmount = Convert.ToInt32(Request.Form["actualAmount_aspx"]);
       var contractID = Convert.ToInt32(Request.Form["contractID_aspx"]);
       var valueCommand = "VALUES(" + saleID + "," + custID + "," + agentID + "," + saleDate + "," + contractID + "," + homeID + "," + actualAmount + ")";
      // Declaration section
      OleDbConnection objDBConn;
      OleDbCommand    objCmd;
      OleDbCommand objCmdSelect;
      OleDbDataReader objDR;

      // Set up OLE DB Connection object
      objDBConn = new OleDbConnection("Provider=*****1;" +
                                      "User ID=********;" +
                                      "Password=*******;" +
                                      "Data Source=****");


      // Open DB connection
      objDBConn.Open();

      // Create OleDbCommand object with SQL to execute
      objCmd = new OleDbCommand("INSERT INTO Sale (saleID, cust_ID, agent_ID, saleDate, contractID, homeID, actualamount)" +
            valueCommand, objDBConn);


      // Create a DataReader and execute the command
      objDR = objCmd.ExecuteReader();

      // Copy results from DataReader to DataGrid object
      gridCusts.DataSource = objDR;
      gridCusts.DataBind();

      // Close all objects
      objDR.Close();
      objCmd.Dispose();

      ////////////////////////////////////////////////////////////
      // Create OleDbCommand object with SQL to execute
      objCmdSelect = new OleDbCommand("SELECT * " +
                                "  FROM Sale " +
                                " ORDER BY saleID", objDBConn);

      // Create a DataReader and execute the command
      objDR = objCmdSelect.ExecuteReader();

      // Copy results from DataReader to DataGrid object
      gridCusts.DataSource = objDR;
      gridCusts.DataBind();

      // Close all objects
      objDR.Close();
      objCmdSelect.Dispose();
      /////////////////////////////////////////////////////////// 
      objDBConn.Close();        
   }

</script>
<html>
<head>
<title>CUSTOMERS table</title>
<link href="bootstrap/css/bootstrap.css" type="text/css" rel="stylesheet">
</head>
<body>
    <div id="container">
        <h2>Oracle SALES table contents via C#.NET and OLE DB</h2>
        <div style="margin:0 auto text-align:center;">
            <asp:DataGrid id="gridCusts" class='table' runat="server" />
        </div>
        <a href="index.html" target="_self" class="btn">Go Back</a>
    </div>
</body>
</html>

Answer 1

您可以简单地使用 oracle 函数to_date。

var valueCommand = "VALUES(" + saleID + "," + custID + "," + agentID + ", 
    to_date('" + saleDate.ToString("MM/dd/yyyy") + "', 'mm/dd/yyyy')," + contractID + "," + homeID + "," + actualAmount + ")";

Answer 2

我在您的代码中看到了许多导致程序失败的问题。

1. 导致类型转换、转义和 SQL 注入问题的硬编码 SQL 字符串。如何：防止 ASP.NET 中的 SQL 注入
2. 命令方法的选择 - 何时使用 ExecuteNonQuery、ExecuteScalar 和 ExecuteReader？调用ExecuteNonQuery()方法来执行除SELECT.
3. 处理数据库资源的方式不正确。使用using块。（SO Threads -什么是 C# Using 块，我为什么要使用它？和C# - 关闭 Sql 对象最佳实践。