我需要一些关于如何做得更好的提示,我使用一个连接插入多个查询。
我知道这是不好的编程,特别是它非常容易被sql注入,我也想提一下它不会出现在互联网上只是在本地运行。
这是我到目前为止所拥有的......
public partial class Modify : System.Web.UI.Page
{
OleDbConnection connection;
OleDbCommand command;
public void OpenConnection2()
{
connection = new OleDbConnection("");
command = new OleDbCommand();
connection.Open();
}
protected void btnSave_Click1(object sender, EventArgs e)
{
if (AcctNumList.SelectedValue == "3")
{
string query2 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name1TxtBox.Text.Replace("'", "''"), Amt1TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
string query3 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name2TxtBox.Text.Replace("'", "''"), Amt2TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
string query4 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name3TxtBox.Text.Replace("'", "''"), Amt3TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
OpenConnection2();
command.Connection = connection;
command.CommandText = query2;
int c = command.ExecuteNonQuery();
connection.Close();
}
if (AcctNumList.SelectedValue == "4")
{
string query2 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name1TxtBox.Text.Replace("'", "''"), Amt1TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
string query3 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name2TxtBox.Text.Replace("'", "''"), Amt2TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
string query4 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name3TxtBox.Text.Replace("'", "''"), Amt3TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
string query5 = String.Format(@"INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date) values
('{0}','{1}','{2}','{3}','{4}','{5}')",
id, newguid, Name4TxtBox.Text.Replace("'", "''"), Amt4TxtBox.Text.Replace("'", "''"), 3, DateTime.Now.ToString());
OpenConnection2();
command.Connection = connection;
command.CommandText = query2;
int c = command.ExecuteNonQuery();
connection.Close();
}
答案 0 :(得分:4)
您应该参数化您的查询 - 始终,但是现在您可以将这些查询与;
连接起来,然后执行一次,如:
string allQueries = string.join(';', query2, query3, query4, query5);
command.CommandText = allQueries;
int c = command.ExecuteNonQuery();
目前您只是执行一个查询。分号;
标记SQL中的语句结束,因此将这些语句与;
组合将使它们成为单独的语句,但它们将在一次执行下执行。
kcray - 这对我有用。
string[] arr = { query2, query3 };
string allQueries = string.Join(";", arr);
command.CommandText = allQueries;
int c = command.ExecuteNonQuery();
答案 1 :(得分:2)
您只执行query2而不是query3和query4命令文本
OpenConnection2();
command.Connection = connection;
command.CommandText = query2;
int c = command.ExecuteNonQuery();
command.CommandText = query3;
c = command.ExecuteNonQuery();
command.CommandText = query4;
c = command.ExecuteNonQuery();
connection.Close();
说这个,如果你不关心Sql Injection,你真的应该使用参数,因为你的代码会更清晰,你不需要担心解析字符串来替换引号,为datetime准备正确的字符串字段并使用正确的小数点字符表示浮点值
另一项优化是通过using statement 在这种情况下,您的OpenConnection2应该返回创建并打开的OleDbConnection,而不需要使用全局连接对象(对于基于文件的数据库也是一种不好的做法)
public OleDbConnection OpenConnection2()
{
OleDbConnection connection = new OleDbConnection("");
connection.Open();
return connection;
}
然后在您的代码中,您将能够使用using语句来确保正确关闭并在不再需要时处理连接
using(OleDbConnection cn = OpenConnection2())
using(OleDbCommand command = new OleDbCommand())
{
command.Connection = connection;
command.CommandText = query2;
int c = command.ExecuteNonQuery();
command.CommandText = query3;
c = command.ExecuteNonQuery();
command.CommandText = query4;
c = command.ExecuteNonQuery();
} // here the connection will be closed and disposed
最后一点,如果您正在针对MS Access数据库运行这些查询,那么您需要逐个执行它们,因为不支持多语句
答案 2 :(得分:0)
UNION你的SELECT语句一起在同一个表中插入多行。
INSERT INTO dbo.Products (ID, [Name])
SELECT 1, 'Car'
UNION ALL
SELECT 2, 'Boat'
UNION ALL
SELECT 3, 'Bike'
答案 3 :(得分:0)
无法在OledbCommand上执行多个查询。你有两个选择
OR 因为您只插入一个表,所以在您的情况下,您可以像这样设计您的查询(只是一个示例)
INSERT INTO ACH (rptid, tableid, name, amount, stat, create_date)
SELECT 1,1, 'Value3',2,2,DateTime.Now.ToString()
UNION
SELECT 1,1, 'Value3',2,2,DateTime.Now.ToString()
UNION
SELECT 1,1, 'Value3',2,2,DateTime.Now.ToString()
UNION
SELECT 1,1, 'Value3',2,2,DateTime.Now.ToString()