Str*_*hry 3 .net c# sql t-sql database
private void ButtonOk_Click(object sender, EventArgs e)
{
if (txtWedstrijdSchemaID.Text == "")
{
//Insert
string SQL;
SQL = "Insert into Wedstrijdschema (Team1, Team2, Datum)";
SQL += " values (";
SQL += "" + txtTeam1.Text + ",";
SQL += "" + txtTeam2.Text + ",";
SQL += "" + Convert.ToDateTime(txtDatum.Text) + "";
SQL += ")";
clDatabase.ExecuteCommand(SQL);
vulLv();
}
else
{
//Update
string SQL;
SQL = "Update Wedstrijdschema SET ";
SQL += "Team1 = " + txtTeam1.Text + ",";
SQL += "Team2 = " + txtTeam2.Text + ",";
SQL += "Datum = " + Convert.ToDateTime(txtDatum.Text) + "";
SQL += " where SchemaId = " + zoek;
clDatabase.ExecuteCommand(SQL);
vulLv();
}
txtDatum.Enabled = txtTeam2.Enabled = txtTeam1.Enabled = false;
}
这就是我目前所拥有的,因为一个trycatch它在我尝试时不会崩溃,如果我在//插入上注释txtDatum.Text并且//上传它可以工作(但显然在数据库中为Datum输入NULL)有谁也许看到我哪里出错了?
编辑:关于参数的使用,我们需要使用一个threetier系统,其中所有SQL都通过一个类,这是唯一允许对数据库执行任何操作的类,这是命令的执行方式:
public static bool ExecuteCommand(string SQLInstructie)
{
bool retour = true;
SqlConnection Conn = new SqlConnection(clStam.Connstr);
SqlCommand Cmd = new SqlCommand(SQLInstructie, Conn);
try
{
Cmd.Connection.Open();
Cmd.ExecuteNonQuery();
}
catch
{
retour = false;
}
finally
{
Conn.Close();
}
return retour;
}
这个有效!! 非常感谢您的帮助:
private void ButtonOk_Click(object sender, EventArgs e)
{
if (txtWedstrijdSchemaID.Text == "")
{
//Insert
string SQL;
SQL = "Insert into Wedstrijdschema (Team1, Team2, Datum)";
SQL += " values (";
SQL += "" + txtTeam1.Text + ",";
SQL += "" + txtTeam2.Text + ",";
SQL += "'" + Convert.ToDateTime(txtDatum.Text) + "'";
SQL += ")";
Debug.WriteLine(SQL);
clDatabase.ExecuteCommand(SQL);
vulLv();
}
else
{
//Update
string SQL;
SQL = "Update Wedstrijdschema SET ";
SQL += "Team1 = " + txtTeam1.Text + ",";
SQL += "Team2 = " + txtTeam2.Text + ",";
SQL += "Datum = '" + Convert.ToDateTime(txtDatum.Text) + "'";
SQL += " where SchemaId = " + zoek;
clDatabase.ExecuteCommand(SQL);
vulLv();
}
txtDatum.Enabled = txtTeam2.Enabled = txtTeam1.Enabled = false;
}
编辑:我将保证从现在开始使用参数化SQL!
您缺少,来自INSERTand UPDATE语句的命令.
将数据插入数据库的语法是:
INSERT INTO Table
(Column1, Column2, Column3)
VALUES
('Value 1', 'Value 2', 'Value3')
除此之外,您很容易SQL injection使用SQL参数化查询来防止这种情况.
我首先要使用一个SqlCommand对象.
SqlCommand cmd = new SqlCommand("INSERT INTO Wedstrijdschema (Team1, Team2, Datum) VALUES (@V1, @V2, @V3");
cmd.Parameters.AddWithValue("@V1", txtTeam1.Text);
cmd.Parameters.AddWithValue("@V2", txtTeam2.Text);
cmd.Parameters.AddWithValue("@V3", Convert.ToDateTime(txtDatum.Text));
然后使用执行它 cmd.ExecuteNonQuery();
另外,我还要确保将值txtDatum正确转换为所需的日期格式.
| 归档时间: |
|
| 查看次数: |
8575 次 |
| 最近记录: |