一个连接中有多个Insert语句

时间:2013-07-25 19:35:22

标签: c# sql oledb sql-insert

我需要一些关于如何做得更好的提示,我使用一个连接插入多个查询。

我知道这是不好的编程,特别是它非常容易被sql注入,我也想提一下它不会出现在互联网上只是在本地运行。

这是我到目前为止所拥有的...... 

public partial class Modify : System.Web.UI.Page
{
    OleDbConnection connection;
    OleDbCommand command;

  public void OpenConnection2()
    {
        connection = new OleDbConnection("");
        command = new OleDbCommand();
        connection.Open();
    }

  protected void btnSave_Click1(object sender, EventArgs e)
    {
        if (AcctNumList.SelectedValue == "3")
        {
            string query2 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values 
                                                            ('{0}','{1}','{2}','{3}','{4}','{5}')",
                                                            id, newguid, Name1TxtBox.Text.Replace("'", "''"), Amt1TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
            string query3 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values 
                                                            ('{0}','{1}','{2}','{3}','{4}','{5}')",
                                                            id, newguid, Name2TxtBox.Text.Replace("'", "''"), Amt2TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
            string query4 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values 
                                                            ('{0}','{1}','{2}','{3}','{4}','{5}')",
                                                            id, newguid, Name3TxtBox.Text.Replace("'", "''"), Amt3TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
            OpenConnection2();
            command.Connection = connection;
            command.CommandText = query2;
            int c = command.ExecuteNonQuery();
            connection.Close();
        }
     if (AcctNumList.SelectedValue == "4")
        {
            string query2 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values 
                                                            ('{0}','{1}','{2}','{3}','{4}','{5}')",
                                                            id, newguid, Name1TxtBox.Text.Replace("'", "''"), Amt1TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
            string query3 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values 
                                                            ('{0}','{1}','{2}','{3}','{4}','{5}')",
                                                            id, newguid, Name2TxtBox.Text.Replace("'", "''"), Amt2TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
            string query4 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values 
                                                            ('{0}','{1}','{2}','{3}','{4}','{5}')",
                                                            id, newguid, Name3TxtBox.Text.Replace("'", "''"), Amt3TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
            string query5 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values 
                                                            ('{0}','{1}','{2}','{3}','{4}','{5}')",
                                                            id, newguid, Name4TxtBox.Text.Replace("'", "''"), Amt4TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
            OpenConnection2();
            command.Connection = connection;
            command.CommandText = query2;
            int c = command.ExecuteNonQuery();
            connection.Close();
        }

4 个答案:

答案 0 :(得分:4)

您应该参数化您的查询 - 始终,但是现在您可以将这些查询与;连接起来,然后执行一次,如:

string allQueries = string.join(';', query2, query3, query4, query5);
command.CommandText = allQueries; 
int c = command.ExecuteNonQuery();

目前您只是执行一个查询。分号;标记SQL中的语句结束,因此将这些语句与;组合将使它们成为单独的语句,但它们将在一次执行下执行。

kcray - 这对我有用。

 string[] arr = { query2, query3 };
 string allQueries = string.Join(";", arr);
 command.CommandText = allQueries;
 int c = command.ExecuteNonQuery();

答案 1 :(得分:2)

您只执行query2而不是query3和query4命令文本

OpenConnection2();
command.Connection = connection;

command.CommandText = query2;
int c = command.ExecuteNonQuery();

command.CommandText = query3;
c = command.ExecuteNonQuery();

command.CommandText = query4;
c = command.ExecuteNonQuery();
connection.Close();

说这个,如果你不关心Sql Injection,你真的应该使用参数,因为你的代码会更清晰,你不需要担心解析字符串来替换引号,为datetime准备正确的字符串字段并使用正确的小数点字符表示浮点值

另一项优化是通过using statement 在这种情况下,您的OpenConnection2应该返回创建并打开的OleDbConnection,而不需要使用全局连接对象(对于基于文件的数据库也是一种不好的做法)

public OleDbConnection OpenConnection2()
{
    OleDbConnection connection = new OleDbConnection("");
    connection.Open();
    return connection;
}

然后在您的代码中,您将能够使用using语句来确保正确关闭并在不再需要时处理连接

using(OleDbConnection cn = OpenConnection2())
using(OleDbCommand command = new OleDbCommand())
{
    command.Connection = connection;
    command.CommandText = query2;
    int c = command.ExecuteNonQuery();

    command.CommandText = query3;
    c = command.ExecuteNonQuery();

    command.CommandText = query4;
    c = command.ExecuteNonQuery();
} // here the connection will be closed and disposed

最后一点,如果您正在针对MS Access数据库运行这些查询,那么您需要逐个执行它们,因为不支持多语句

答案 2 :(得分:0)

UNION你的SELECT语句一起在同一个表中插入多行。 

INSERT INTO dbo.Products (ID, [Name])
SELECT 1, 'Car'
UNION ALL
SELECT 2, 'Boat'
UNION ALL
SELECT 3, 'Bike'

答案 3 :(得分:0)

无法在OledbCommand上执行多个查询。你有两个选择

  1. 制作存储过程
  2. 逐个打电话给他们。

    3. OR 因为您只插入一个表,所以在您的情况下,您可以像这样设计您的查询(只是一个示例)

    INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) 
SELECT 1,1, 'Value3',2,2,DateTime.Now.ToString()
UNION
SELECT 1,1, 'Value3',2,2,DateTime.Now.ToString()
UNION
SELECT 1,1, 'Value3',2,2,DateTime.Now.ToString()
UNION
SELECT 1,1, 'Value3',2,2,DateTime.Now.ToString()
相关问题
最新问题