tec*_*ora 2 c# sql oledb sql-insert
我需要一些关于如何更好地做到这一点的提示,我正在使用一个连接插入多个查询。
我知道这不是一个好的编程,特别是它很容易发生 SQL 注入,我还想提一下它不会在互联网上发布,只是在本地运行。
这是我到目前为止所拥有的..
public partial class Modify : System.Web.UI.Page
{
OleDbConnection connection;
OleDbCommand command;
public void OpenConnection2()
{
connection = new OleDbConnection("");
command = new OleDbCommand();
connection.Open();
}
protected void btnSave_Click1(object sender, EventArgs e)
{
if (AcctNumList.SelectedValue == "3")
{
string query2 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name1TxtBox.Text.Replace("'", "''"), Amt1TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
string query3 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name2TxtBox.Text.Replace("'", "''"), Amt2TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
string query4 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name3TxtBox.Text.Replace("'", "''"), Amt3TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
OpenConnection2();
command.Connection = connection;
command.CommandText = query2;
int c = command.ExecuteNonQuery();
connection.Close();
}
if (AcctNumList.SelectedValue == "4")
{
string query2 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name1TxtBox.Text.Replace("'", "''"), Amt1TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
string query3 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name2TxtBox.Text.Replace("'", "''"), Amt2TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
string query4 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name3TxtBox.Text.Replace("'", "''"), Amt3TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
string query5 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name4TxtBox.Text.Replace("'", "''"), Amt4TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
OpenConnection2();
command.Connection = connection;
command.CommandText = query2;
int c = command.ExecuteNonQuery();
connection.Close();
}
您应该参数化您的查询 - ALWAYS,但现在您可以将这些查询连接起来;,然后执行一次,如下所示:
string allQueries = string.join(';', query2, query3, query4, query5);
command.CommandText = allQueries;
int c = command.ExecuteNonQuery();
当前您只执行一个查询。SQL中分号;标志着语句的结束,因此将这些语句组合起来;会使它们成为单独的语句,但它们将在一次执行中被执行。
kcray - 这对我有用。
string[] arr = { query2, query3 };
string allQueries = string.Join(";", arr);
command.CommandText = allQueries;
int c = command.ExecuteNonQuery();
| 归档时间: |
|
| 查看次数: |
22115 次 |
| 最近记录: |