我的代码:
// Get Connection String
string conn = WebConfigurationManager.ConnectionStrings["GraduatesConnectionString"].ToString();
// Create connection object
SqlConnection connection = new SqlConnection(conn);
SqlCommand command = connection.CreateCommand();
try
{
// Open the connection.
connection.Open();
// Execute the insert command.
command.CommandText = ("INSERT INTO PersonalInfo(Id,Name,LastName,ContactNumber, Address,Gender, Date_Of_Birth) VALUES(\'"
+ (this.txtID.Text + ("\',\'"
+ (this.txtName.Text + ("\',\'"
+ (this.txtLastName.Text + ("\',\'"
+ (this.txtContactNumber.Text + ("\',\'"
+ (this.txtAddress.Text + ("\',\'"
+ (this.gender + ("\',\'"
+ (this.txtDateofBirth.Text + ("\',\'"
)))));
command.ExecuteNonQuery();
}
finally
{
// Close the connection.
connection.Close();
}
答案 0 :(得分:4)
using (SqlConnection connection = new SqlConnection(connectionString))
using (SqlCommand command = connection.CreateCommand())
{
command.CommandText = "INSERT INTO PersonalInfo (Id, Name, LastName, ContactNumber, Address, Gender, Date_Of_Birth) VALUES (@Id, @Name, @LastName, @LastName, @Address, @Gender, @DateOfBirth)";
command.Parameters.AddWithValue("@Id", txtID.Text);
...
connection.Open();
command.ExecuteNonQuery();
}
答案 1 :(得分:3)
您在)
之后错过了结束txtDateofBirth
,因此您的陈述不完整。
但是请注意@podiluska的评论。这段代码很容易被滥用。假设我在txtDateofBirth
中输入类似以下内容的内容:
;DROP TABLE PersonalInfo;
然后您会收到如下查询:
INSERT INTO PersonalInfo(...)
VALUES (...);DROP TABLE PersonalInfo;
所以请使用@abatishchev所描述的参数化查询。
答案 2 :(得分:1)
我很想将您的代码更改为:
string conn = WebConfigurationManager.ConnectionStrings["GraduatesConnectionString"].ToString();
// Create connection object
using(SqlConnection connection = new SqlConnection(conn))
{
string queryText = "INSERT INTO PersonalInfo(Id,Name,LastName,ContactNumber, Address,Gender, Date_Of_Birth) VALUES(@id,@name,@lastName,@contactNumber, @address,@gender, @date_Of_Birth)";
using(SqlCommand command = new SqlCommand(queryText, connection))
{
try
{
// Open the connection.
connection.Open();
command.Parameters.AddWithValue("@id", this.txtID.Text);
command.Parameters.AddWithValue("@name", this.txtName.Text);
command.Parameters.AddWithValue("@lastName", this.txtLastName.Text);
command.Parameters.AddWithValue("@contactNumber", this.txtContactNumber.Text);
command.Parameters.AddWithValue("@address", this.txtAddress.Text);
command.Parameters.AddWithValue("@gender",this.gender );
command.Parameters.AddWithValue("@date_Of_Birth", this.txtDateofBirth.Text);
command.ExecuteReader();
}
finally
{
// Close the connection.
if(connection.State != ConnectionState.Closed)
connection.Close();
}
}
}