我尝试使用stringbuilder使这个过程更简单,但它显示错误,我不明白问题是使用stringbuilder还是代码语法。
代码:
if (dataGridView4.RowCount == 0)
{
MessageBox.Show("Attendance form is empty");
}
else
{
//string att;
int a = dataGridView4.RowCount;
string[] s = new string[a];
for (int i = 0; i < a; i++)
{
if (dataGridView4.Rows[i].Cells[1].Selected)
{
s[i] = "Present";
}
else
{
s[i] = "Absent";
}
}
string[] s1 = new string[a];
for (int i = 0; i < a; i++)
{
s1[i] = dataGridView4.Rows[i].Cells[0].Value.ToString();
}
string date = dateTimePicker1.Value.ToString("dd-MM-yyyy");
StringBuilder command = new StringBuilder();
for (int i = 0; i < a; i++)
{
command.Append("INSERT into Attendance (att_date, emp_code, is_present) values ('" + date + "','" + s1[i] + "','" + s[i] + "')");
}
SqlCeConnection conn = new SqlCeConnection(@"Data Source=C:\Users\admin\documents\visual studio 2010\Projects\WindowsFormsApplication1\WindowsFormsApplication1\hotel.sdf");
conn.Open();
SqlCeCommand cmd = new SqlCeCommand(command.ToString(),conn);
cmd.ExecuteNonQuery();
MessageBox.Show("Attendance Added");
请帮我解决此错误,如果您有任何建议让上述代码更简单,请告诉我。
提前致谢!
答案 0 :(得分:0)
您需要使用参数来避免sql注入攻击,而且您不需要像日期时间参数那样转换为字符串..
using (SqlCeConnection con = new SqlCeConnection(strConn))
{
con.Open();
using (SqlCeCommand cmd = new SqlCeCommand("insert into Attendance (att_date, emp_code, is_present) values (@att_date, @emp_code, @is_present)", con))
{
cmd.Parameters.AddWithValue("@att_date", dateTimePicker1.Value);
cmd.Parameters.AddWithValue("@emp_code", emp_codeVal); //s1[i]
cmd.Parameters.AddWithValue("@is_present", is_presentVal); //s[i]
cmd.CommandType = System.Data.CommandType.Text;
cmd.ExecuteNonQuery();
}
}
如果要插入许多记录,请尝试使用SqlCeResultSet
,您可以检查该链接上给出的MSDN示例代码。
对于每个网格行,您可以执行以下操作
// this is only a sample you need to write for your table
SqlCeUpdatableRecord rec = rs.CreateRecord();
rec.SetInt32(0, 34);
rec.SetDecimal(1, (decimal)44.66);
rec.SetString(2, "Sample text");
rs.Insert(rec);