我需要一些关于如何更好地做到这一点的提示,我正在使用一个连接插入多个查询。
我知道这不是好的编程,尤其是它很容易发生 sql 注入,我还想提一下,它不会在互联网上出现,只是在本地运行。
这是我到目前为止所拥有的..
public partial class Modify : System.Web.UI.Page
{
OleDbConnection connection;
OleDbCommand command;
public void OpenConnection2()
{
connection = new OleDbConnection("");
command = new OleDbCommand();
connection.Open();
}
protected void btnSave_Click1(object sender, EventArgs e)
{
if (AcctNumList.SelectedValue == "3")
{
string query2 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name1TxtBox.Text.Replace("'", "''"), Amt1TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
string query3 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name2TxtBox.Text.Replace("'", "''"), Amt2TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
string query4 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name3TxtBox.Text.Replace("'", "''"), Amt3TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
OpenConnection2();
command.Connection = connection;
command.CommandText = query2;
int c = command.ExecuteNonQuery();
connection.Close();
}
if (AcctNumList.SelectedValue == "4")
{
string query2 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name1TxtBox.Text.Replace("'", "''"), Amt1TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
string query3 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name2TxtBox.Text.Replace("'", "''"), Amt2TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
string query4 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name3TxtBox.Text.Replace("'", "''"), Amt3TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
string query5 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name4TxtBox.Text.Replace("'", "''"), Amt4TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
OpenConnection2();
command.Connection = connection;
command.CommandText = query2;
int c = command.ExecuteNonQuery();
connection.Close();
}