如何在asp.net网站的sqlserver中插入数据
本文关键字:sqlserver 插入 数据 网站 asp net | 更新日期: 2023-09-27 18:26:38
我试图从2008年的网站构建中将数据插入sql server。为此,我使用了按钮点击事件。我尝试了youtube中显示的代码,但代码不起作用。它在我的网站中显示了错误。
.aspx.cs文件中的代码是
public partial class _Default : System.Web.UI.Page
{
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
protected void Page_Load(object sender, EventArgs e)
{
conn.Open();
}
protected void btnInsert_Click(object sender, EventArgs e)
{
SqlCommand cmd = new SqlCommand("insert into Insert values('"+txtCity.Text+"','"+txtFName.Text+"','"+txtLName.Text+"')",conn);
cmd.ExecuteNonQuery();
conn.Close();
Label1.Visible =true;
Label1.Text = "Your data inserted successfully";
txtCity.Text = "";
txtFName.Text = "";
txtLName.Text = "";
}
}`
好吧,让我们稍微修正一下这段代码。你正在到达那里:
var cnnString = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
var cmd = "insert into Insert values(@City,@FName,@LName)";
using (SqlConnection cnn = new SqlConnection(cnnString))
{
using (SqlCommand cmd = new SqlCommand(cmd, cnn))
{
cmd.Parameters.AddWithValue("@City",txtCity.Text);
cmd.Parameters.AddWithValue("@FName",txtFName.Text);
cmd.Parameters.AddWithValue("@LName",txtLName.Text);
cnn.Open();
cmd.ExecuteNonQuery();
}
}
关于修改后的代码,有几点需要注意。
- 它利用
using语句来确保资源得到适当的处理 - 它被参数化以确保SQL注入是不可能的
- 它不会在任何地方存储连接对象,去掉存储的连接
**
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;
using System.Data.SqlClient;
public partial class _Default : System.Web.UI.Page
{
SqlConnection con = new SqlConnection("Data Source=.''SQLEXPRESS;Initial Catalog=mrinmoynandy;User ID=**;Password=****");
protected void Page_Load(object sender, EventArgs e)
{
}
protected void SumbitBtn_Click(object sender, EventArgs e)
{
SqlCommand cmd = new SqlCommand("insert into streg(Name,Father,Mother,Dob,Sex,Category,Maritial,Vill,Po,Ps,Dist,State,Pin,Country) values (@name,@father,@mother,@dob,@sex,@category,@maritial,@vill,@po,@ps,@dist,@state,@pin,@country)", con);
cmd.Parameters.AddWithValue(@"name", StNumTxt.Text);
cmd.Parameters.AddWithValue(@"father", FatNumTxt.Text);
cmd.Parameters.AddWithValue(@"mother", MotNumTxt.Text);
cmd.Parameters.AddWithValue(@"dob", DobRdp.SelectedDate);
cmd.Parameters.AddWithValue(@"sex", SexDdl.SelectedItem.Text);
cmd.Parameters.AddWithValue(@"category", CategoryDdl.SelectedItem.Text);
cmd.Parameters.AddWithValue(@"maritial", MaritialRbl.SelectedItem.Text);
cmd.Parameters.AddWithValue(@"vill", VillTxt.Text);
cmd.Parameters.AddWithValue(@"po", PoTxt.Text);
cmd.Parameters.AddWithValue(@"ps", PsTxt.Text);
cmd.Parameters.AddWithValue(@"dist", DistDdl.SelectedItem.Text);
cmd.Parameters.AddWithValue(@"state", StateTxt.Text);
cmd.Parameters.AddWithValue(@"pin", PinTxt.Text);
cmd.Parameters.AddWithValue(@"country", CountryTxt.Text);
con.Open();
con.Close();
}
}
Thanks
Mrinmoy Nandy
Phone No.: +91 9800451398
**
Creating procedure will avoid sql injection.
SQL
Create procedure insert
(@City,@FirstName,@LastName)
{
insert into tablename (City,FName,LName)
values(@City,@FirstName,@LastName)
}
C#
SqlConnection con=new sqlconnection("give ur connection string here");
sqlcommand cmd=new sqlcommand();
con.open();
cmd=new sqlcommand("insert",con);
cmd.commandtype=commandtype.storedprocedure;
cmd.parameters.addwithvalue("@City",txtCity.text);
cmd.parameters.addwithvalue("@FName",txtFName.text);
cmd.parameters.addwithvalue("@LNAme",txtLName.text);
cmd.ExecuteNonQuery();
con.close();