一个连接中有多个Insert语句

本文关键字:Insert 语句 连接 一个 | 更新日期: 2023-09-27 18:25:01

我需要一些技巧来更好地做到这一点,我使用一个连接插入多个查询。

我知道这不是一个好的编程,尤其是它非常容易注入sql,我还想提一下,它不会在互联网上发布,只是在本地运行。

这就是我到目前为止所拥有的。。

public partial class Modify : System.Web.UI.Page
{
    OleDbConnection connection;
    OleDbCommand command;
  public void OpenConnection2()
    {
        connection = new OleDbConnection("");
        command = new OleDbCommand();
        connection.Open();
    }
  protected void btnSave_Click1(object sender, EventArgs e)
    {
        if (AcctNumList.SelectedValue == "3")
        {
            string query2 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values 
                                                            ('{0}','{1}','{2}','{3}','{4}','{5}')",
                                                            id, newguid, Name1TxtBox.Text.Replace("'", "''"), Amt1TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
            string query3 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values 
                                                            ('{0}','{1}','{2}','{3}','{4}','{5}')",
                                                            id, newguid, Name2TxtBox.Text.Replace("'", "''"), Amt2TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
            string query4 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values 
                                                            ('{0}','{1}','{2}','{3}','{4}','{5}')",
                                                            id, newguid, Name3TxtBox.Text.Replace("'", "''"), Amt3TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
            OpenConnection2();
            command.Connection = connection;
            command.CommandText = query2;
            int c = command.ExecuteNonQuery();
            connection.Close();
        }
     if (AcctNumList.SelectedValue == "4")
        {
            string query2 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values 
                                                            ('{0}','{1}','{2}','{3}','{4}','{5}')",
                                                            id, newguid, Name1TxtBox.Text.Replace("'", "''"), Amt1TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
            string query3 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values 
                                                            ('{0}','{1}','{2}','{3}','{4}','{5}')",
                                                            id, newguid, Name2TxtBox.Text.Replace("'", "''"), Amt2TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
            string query4 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values 
                                                            ('{0}','{1}','{2}','{3}','{4}','{5}')",
                                                            id, newguid, Name3TxtBox.Text.Replace("'", "''"), Amt3TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
            string query5 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values 
                                                            ('{0}','{1}','{2}','{3}','{4}','{5}')",
                                                            id, newguid, Name4TxtBox.Text.Replace("'", "''"), Amt4TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
            OpenConnection2();
            command.Connection = connection;
            command.CommandText = query2;
            int c = command.ExecuteNonQuery();
            connection.Close();
        }

一个连接中有多个Insert语句

您应该参数化您的查询-ALWAYS,但现在您可以将这些查询与;连接起来,然后执行一次,如:

string allQueries = string.join(';', query2, query3, query4, query5);
command.CommandText = allQueries; 
int c = command.ExecuteNonQuery();

目前您只执行一个查询。分号;标志着SQL中语句的结束,所以将这些语句与;组合将使它们成为单独的语句,但它们将在一次执行中执行。

kcray-这是对我有效的。

 string[] arr = { query2, query3 };
 string allQueries = string.Join(";", arr);
 command.CommandText = allQueries;
 int c = command.ExecuteNonQuery();

您只执行query2,而不是query3和query4命令文本

OpenConnection2();
command.Connection = connection;
command.CommandText = query2;
int c = command.ExecuteNonQuery();
command.CommandText = query3;
c = command.ExecuteNonQuery();
command.CommandText = query4;
c = command.ExecuteNonQuery();
connection.Close();

说到这里,如果你不担心Sql注入,你也应该使用参数,因为你的代码会更清晰,你不需要担心解析字符串来替换引号,为datetime字段准备正确的字符串,并为浮点值使用正确的小数点字符

另一个优化是通过using语句
在这种情况下,您的OpenConnection2应该返回创建并打开的OleDbConnection,而不需要使用全局连接对象(对于基于文件的数据库,这总是一种糟糕的做法)

public OleDbConnection OpenConnection2()
{
    OleDbConnection connection = new OleDbConnection("");
    connection.Open();
    return connection;
}

然后在您的代码中,您将能够使用using语句,该语句将确保正确关闭并在不再需要时处理连接

using(OleDbConnection cn = OpenConnection2())
using(OleDbCommand command = new OleDbCommand())
{
    command.Connection = connection;
    command.CommandText = query2;
    int c = command.ExecuteNonQuery();
    command.CommandText = query3;
    c = command.ExecuteNonQuery();
    command.CommandText = query4;
    c = command.ExecuteNonQuery();
} // here the connection will be closed and disposed

最后要注意的是,如果您对MS Access数据库运行这些查询,则需要逐个执行,因为不支持多语句

将SELECT语句联合起来,将多行插入同一个表中。

INSERT INTO dbo.Products (ID, [Name])
SELECT 1, 'Car'
UNION ALL
SELECT 2, 'Boat'
UNION ALL
SELECT 3, 'Bike'

不可能在OledbCommand中执行多个查询。这里有两个选项

  1. 制作存储过程
  2. 一个接一个地给他们打电话

或因为你只插入一个表,所以在你的情况下,你可以这样设计你的查询(只是一个例子)

INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) 
SELECT 1,1, 'Value3',2,2,DateTime.Now.ToString()
UNION
SELECT 1,1, 'Value3',2,2,DateTime.Now.ToString()
UNION
SELECT 1,1, 'Value3',2,2,DateTime.Now.ToString()
UNION
SELECT 1,1, 'Value3',2,2,DateTime.Now.ToString()
相关文章: