3

我尝试将数据从我的网站构建在 vs 2008 中插入到 sql server 中。为此,我使用了按钮单击事件。我尝试了 youtube 中显示的代码,但代码不起作用。它在我的网站中显示错误。

.aspx.cs 文件中的代码是

public partial class _Default : System.Web.UI.Page 
{
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);

protected void Page_Load(object sender, EventArgs e)
{
    conn.Open();
}
protected void btnInsert_Click(object sender, EventArgs e)
{
    SqlCommand cmd = new SqlCommand("insert into Insert    values('"+txtCity.Text+"','"+txtFName.Text+"','"+txtLName.Text+"')",conn);
    cmd.ExecuteNonQuery();
    conn.Close();
    Label1.Visible =true;
    Label1.Text = "Your data inserted successfully";
    txtCity.Text = "";
    txtFName.Text = "";
    txtLName.Text = "";
}

} `

4

3 回答 3

11

好的,让我们稍微修正一下这段代码。你到了那里:

var cnnString = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
var cmd = "insert into Insert values(@City,@FName,@LName)";
using (SqlConnection cnn = new SqlConnection(cnnString))
{
    using (SqlCommand cmd = new SqlCommand(cmd, cnn))
    {
        cmd.Parameters.AddWithValue("@City",txtCity.Text);
        cmd.Parameters.AddWithValue("@FName",txtFName.Text);
        cmd.Parameters.AddWithValue("@LName",txtLName.Text);

        cnn.Open();
        cmd.ExecuteNonQuery();
    }
}

关于修改后的代码有几点需要注意。

  • 它利用该using声明来确保正确处置资源。
  • 它被参数化以确保 SQL 注入是不可能的。
  • 它没有在任何地方存储连接对象,摆脱存储的连接。
于 2013-08-06T10:30:32.640 回答
0

**

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;
using System.Data.SqlClient;
public partial class _Default : System.Web.UI.Page
{
    SqlConnection con = new SqlConnection("Data Source=.\\SQLEXPRESS;Initial Catalog=mrinmoynandy;User ID=**;Password=****");
    protected void Page_Load(object sender, EventArgs e)
    {
    }
    protected void SumbitBtn_Click(object sender, EventArgs e)
    {
        SqlCommand cmd = new SqlCommand("insert into streg(Name,Father,Mother,Dob,Sex,Category,Maritial,Vill,Po,Ps,Dist,State,Pin,Country) values (@name,@father,@mother,@dob,@sex,@category,@maritial,@vill,@po,@ps,@dist,@state,@pin,@country)", con);
        cmd.Parameters.AddWithValue(@"name", StNumTxt.Text);
        cmd.Parameters.AddWithValue(@"father", FatNumTxt.Text);
        cmd.Parameters.AddWithValue(@"mother", MotNumTxt.Text);
        cmd.Parameters.AddWithValue(@"dob", DobRdp.SelectedDate);
        cmd.Parameters.AddWithValue(@"sex", SexDdl.SelectedItem.Text);
        cmd.Parameters.AddWithValue(@"category", CategoryDdl.SelectedItem.Text);
        cmd.Parameters.AddWithValue(@"maritial", MaritialRbl.SelectedItem.Text);
        cmd.Parameters.AddWithValue(@"vill", VillTxt.Text);
        cmd.Parameters.AddWithValue(@"po", PoTxt.Text);
        cmd.Parameters.AddWithValue(@"ps", PsTxt.Text);
        cmd.Parameters.AddWithValue(@"dist", DistDdl.SelectedItem.Text);
        cmd.Parameters.AddWithValue(@"state", StateTxt.Text);
        cmd.Parameters.AddWithValue(@"pin", PinTxt.Text);
        cmd.Parameters.AddWithValue(@"country", CountryTxt.Text);
        con.Open();        
        con.Close();        
    }
}
Thanks
Mrinmoy Nandy
Phone No.: +91 9800451398

**

于 2015-12-30T12:58:37.730 回答
-2 
Creating procedure will avoid sql injection.

SQL

Create procedure insert
(@City,@FirstName,@LastName)
{
insert into tablename (City,FName,LName)
values(@City,@FirstName,@LastName)
}

C#

SqlConnection con=new sqlconnection("give ur connection string here");
sqlcommand cmd=new sqlcommand();
con.open();
cmd=new sqlcommand("insert",con);
cmd.commandtype=commandtype.storedprocedure;
cmd.parameters.addwithvalue("@City",txtCity.text);
cmd.parameters.addwithvalue("@FName",txtFName.text);
cmd.parameters.addwithvalue("@LNAme",txtLName.text);
cmd.ExecuteNonQuery();
con.close();
于 2013-08-06T11:01:20.030 回答