ASP.NET/VB.NET：生成插入命令

Question

I have all of my form variables in my codebehind, they were all retrieved using "Request.Form".

As Far as I Know..If I use the SQLDataSource to do this I have to use ASP.NET Controlls(which I do not want).

INSERT INTO Orders(FirstName, LastName, Email, PhoneNumber, Address, City, State, ZipCode, PaymentMethod, PromoCode, OrderStatus, Tracking, PPEmail, SubmissionDate) VALUES (@FirstName, @LastName, @Email, @Phone, @Address, @City, @State, 11111, @PaymentMethod', '0', 'New Order - Pending', '0', @PPEMAIL, @Date)

CodeBehind

    Dim fPrice As String = CType(Session.Item("Qprice"), String)
    Dim DeviceMake As String = CType(Session.Item("Make"), String)
    Dim PaymentMethod As String = Request.Form("Payment Type")
    Dim DeviceModel As String = CType(Session.Item("Model"), String)
    Dim DeviceCondition As String = CType(Session.Item("Condition"), String)
    Dim SubmissionDate As String = Date.Now.ToString
    Dim FirstName = Request.Form("First")
    Dim LastName = Request.Form("Last")
    Dim City = Request.Form("City")
    Dim Phone = Request.Form("Phone")
    Dim Address = Request.Form("Address")
    Dim State = Request.Form("State")
    Dim Zip = Request.Form("Zip")
    Dim Email = Request.Form("EMail")

Is there a way I can attatch my variables to the insert statment generated by the SQLDatasource, without having to manually code the parameters?

Answer 1

You could use FormParameter . This doesn't require any ASP.NET control so far I'm aware.

  <asp:sqldatasource
    id="SqlDataSource1"
    runat="server"
    connectionstring="<%$ ConnectionStrings:MyNorthwind %>"
    selectcommand="SELECT CompanyName,ShipperID FROM Shippers"
    insertcommand="INSERT INTO Shippers (CompanyName,Phone) VALUES (@CoName,@Phone)">
      <insertparameters>
        <asp:formparameter name="CoName" formfield="CompanyNameBox" />
        <asp:formparameter name="Phone"  formfield="PhoneBox" />
      </insertparameters>
  </asp:sqldatasource>

Pay special attention to Microsoft warning in relation to this mechanism

The FormParameter does not validate the value passed by the form element in any way; it uses the raw value. In most cases you can validate the value of the FormParameter before it is used by a data source control by handling an event, such as the Selecting, Updating, Inserting, or Deleting event exposed by the data source control you are using. If the value of the parameter does not pass your validation tests, you can cancel the data operation by setting the Cancel property of the associated CancelEventArgs class to true.

Answer 2

Its probably better that you forcibly attach the parameters. As you are getting your values from Form and Session (ick), parameterizing the SQL will give you some measure of protection.

You may want to explore code generation (A-la T4 ), this way you can point the codegen at a proc/table and it will generate the vb code to call it, attach the params and execute the statement.