动态单击按钮插入多个记录

时间:2012-05-02 04:38:31

标签: c# asp.net sql-server-2005 stored-procedures

我有两张桌子......

  

在这里,管理员根据课程和学期将科目分配给院系....

1] Assign_Subjects 

Faculty_Id      varchar(20)     
Course_Id       varchar(20)     
Semester        varchar(20)     
Subject_Id      varchar(20)     
Subject_Name    varchar(50)     
Time            varchar(50)

INSERT INTO Assign_Subjects Values("F1","BCA",2,"DS","Data Structure","10-11")
INSERT INTO Assign_Subjects Values("F1","BCA",2,"C","C Programming","11-12")
INSERT INTO Assign_Subjects Values("F1","BCA",1,"QB","Q Basic","1-2")
INSERT INTO Assign_Subjects Values("F2","BCA",3,"SS","System Structure","10-11")
INSERT INTO Assign_Subjects Values("F2","BCA",3,"AC","Accountancy","11-12")
  

这里教师为学生插入标记

2] Exam_Result 

Result_Id           int(Auto no and PK)
Enroll_Number       varchar(50) Checked
Student_Name        varchar(100)    Checked
Course_Id           varchar(50) Checked
Semester            varchar(50) Checked
Subject_Id          varchar(50) Checked
Subject_Name        varchar(50) Checked
MarksObtained       numeric(18, 0)  Checked
Exam_Type           varchar(50) Checked
  

现在我的问题是我如何将所有已分配的科目标记插入 Exam_Result 单击按钮

我总体想法我想要的是......

  

FillResult.aspx 中,这里我想要所有主题名称都带有文本框(或任何其他可能的方式,如gridview / dalalist等),由admin 和按钮(onClick事件)分配< / strong>填补标记......

注意:主题显示为不分配主题的固定数量,可能是3或5或更多

所以,我怎么可能这样做..... ??

  

通过gridview,编辑模板或存储过程????

所有的热情都是最受欢迎的.....

1 个答案:

答案 0 :(得分:0)

如果您不确定要输入标记的主题的确切数量 - 我们应该如何生成查询来执行此操作?

从未向您展示防止SQL注入攻击,您将SQL放入存储过程中:

create PROCEDURE [dbo].[pr_GetAssignedSubjectsByFacultyIdAndSemester]
@FacultyID int,
@Semester nvarchar(MAX)
AS
BEGIN
SET NOCOUNT ON;
SELECT [Faculty], [Subjects],[CreatedBy],[CreatedDate],[ModifiedBy],[ModifiedDate]
 FROM [dbo].[tblNotSure]
WHERE [FacultyID] = @FacultyID
AND [Semester] = @Semester
AND [IsDeleted] = 0
END

然后在代码中我们调用存储过程,注意参数化命令,这可以防止SQL注入攻击。例如,我们输入了学期ddl / textbox(或使用FireBug编辑元素值)1 UNION SELECT * FROM Master.Users - 执行此临时SQL可以返回SQL用户帐户列表但通过参数化命令传递避免问题:

public static aClassCollection GetAssignedSubjectsByFacultyIdAndSemester(int facultyId, string semester)
{
var newClassCollection = new aClassCollection();
    using (var connection = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ConnectionString))
    {
        using (var command = new SqlCommand("pr_GetAssignedSubjectsByFacultyIdAndSemester", connection))
        {
            try
            {
                command.CommandType = CommandType.StoredProcedure;
                command.Parameters.AddWithValue("@facultyId", facultyId);
                command.Parameters.AddWithValue("@semester", semester);
                connection.Open();
                SqlDataReader dr = command.ExecuteReader();
                while (dr.Read())
                {
                    newClassCollection.Add(new Class(){vals = dr["vals"].ToString()});
                }
            }
            catch (SqlException sqlEx)
            {
             //at the very least log the error
            }
            finally
            {
             //This isn't needed as we're using the USING statement which is deterministic                    finalisation, but I put it here (in this answer) to explain the Using...
                connection.Close();
            }
        }
    }

    return newClassCollection;
}
相关问题
最新问题