ali*_*gun 0 c# database sqlcommand executenonquery
大家好我有这个代码
cmd = new SqlCommand();
cmd.Connection = baglanti;
cmd.CommandText = "(musteriadi,musterisoyadi,gsm,email,sirketadi,Adres,Notlar) VALUES('" + txtMusteriAdi.Text.Trim() + "','" + txtMusteriSoyadi.Text.Trim() + "','" + txtGsm.Text.Trim() + "','" +txtEmail.Text.Trim() + "','" +txtSirketAdi.Text.Trim() + "','" +txtAdres.Text.Trim() + "','" +txtNotlar.Text.Trim() +"');";
baglanti.Open();
cmd.ExecuteNonQuery();
baglanti.Close();
我将cmd定义为a,public SqlCommmand并且在每次代码到达时cmd.ExecuteNonQuery()它都会抓住我能做什么.
因为你忘记INSERT INTO了陈述的一部分.喜欢;
INSERT INTO tableName(musteriadi,musterisoyadi,gsm,email,sirketadi,Adres,Notlar)
但更重要的是,您应该始终使用参数化查询.这种字符串连接对SQL注入攻击是开放的.
还可以使用using语句自动处理连接和命令,而不是Close手动调用方法.
using(var baglanti = new SqlConnnection(yourConnectionString))
using(var cmd = baglanti.CreateCommand())
{
cmd.CommandText = @"INSERT INTO tableName(musteriadi,musterisoyadi,gsm,email,sirketadi,Adres,Notlar)
VALUES(@ad, @soyad, @gsm, @email, @sirket, @adres, @notlar)";
// Add your parameters values with Add method considering their types and size.
baglanti.Open();
cmd.ExecuteNonQuery();
}
| 归档时间: |
|
| 查看次数: |
89 次 |
| 最近记录: |