[英]How to insert data into SQL Server
我的編碼有什么問題? 我無法將數據插入 ms sql .. 我使用 C# 作為前端,使用 MS SQL 作為數據庫......
name = tbName.Text;
userId = tbStaffId.Text;
idDepart = int.Parse(cbDepart.SelectedValue.ToString());
string saveStaff = "INSERT into tbl_staff (staffName,userID,idDepartment) " +
" VALUES ('" + name + "', '" + userId +"', '" + idDepart + "');";
SqlCommand querySaveStaff = new SqlCommand(saveStaff);
try
{
querySaveStaff.ExecuteNonQuery();
}
catch
{
//Error when save data
MessageBox.Show("Error to save on database");
openCon.Close();
Cursor = Cursors.Arrow;
}
您必須設置 Command 對象的 Connection 屬性並使用參數化查詢而不是硬編碼 SQL 來避免SQL Injection 。
using(SqlConnection openCon=new SqlConnection("your_connection_String"))
{
string saveStaff = "INSERT into tbl_staff (staffName,userID,idDepartment) VALUES (@staffName,@userID,@idDepartment)";
using(SqlCommand querySaveStaff = new SqlCommand(saveStaff))
{
querySaveStaff.Connection=openCon;
querySaveStaff.Parameters.Add("@staffName",SqlDbType.VarChar,30).Value=name;
.....
openCon.Open();
querySaveStaff.ExecuteNonQuery();
}
}
我認為您缺乏將Connection
對象傳遞給您的command
對象。 如果您為此使用command
和parameters
,那就更好了。
using (SqlConnection connection = new SqlConnection("ConnectionStringHere"))
{
using (SqlCommand command = new SqlCommand())
{
command.Connection = connection; // <== lacking
command.CommandType = CommandType.Text;
command.CommandText = "INSERT into tbl_staff (staffName, userID, idDepartment) VALUES (@staffName, @userID, @idDepart)";
command.Parameters.AddWithValue("@staffName", name);
command.Parameters.AddWithValue("@userID", userId);
command.Parameters.AddWithValue("@idDepart", idDepart);
try
{
connection.Open();
int recordsAffected = command.ExecuteNonQuery();
}
catch(SqlException)
{
// error here
}
finally
{
connection.Close();
}
}
}
string saveStaff = "INSERT into student (stud_id,stud_name) " + " VALUES ('" + SI+ "', '" + SN + "');";
cmd = new SqlCommand(saveStaff,con);
cmd.ExecuteNonQuery();
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.