仍然是Asp.Net的完全初学者,谷歌搜索没有找到我预期的正确结果。如果已经有重复的问题,我道歉。
我遇到的问题是我在下面有一个可编辑的gridview:
<asp:GridView ID="gvCodes" runat="server" AutoGenerateColumns="False" DataKeyNames="Id" DataSourceID="CodesDataSource" CellPadding="3" Width="474px" BackColor="White" BorderColor="#CCCCCC" BorderStyle="None" BorderWidth="1px" OnRowDataBound="gvCodes_RowDataBound">
<Columns>
<asp:BoundField DataField="Id" HeaderText="Id" ReadOnly="True" Visible="false" InsertVisible="False" SortExpression="Id"></asp:BoundField>
<asp:BoundField DataField="Code" HeaderText="Code" ReadOnly="True" SortExpression="Code"></asp:BoundField>
<asp:BoundField DataField="Manager_Name" HeaderText="Manager Name" SortExpression="Manager_Name"></asp:BoundField>
<asp:BoundField DataField="Created_Date" HeaderText="Created Date" ReadOnly="True" SortExpression="Created_Date" DataFormatString="{0:MM/d/yyyy}"></asp:BoundField>
<asp:CommandField ShowEditButton="True"></asp:CommandField>
</Columns>
</asp:GridView>
这是我的SQLDataSource:
<asp:SqlDataSource runat="server" ID="CodesDataSource" DeleteCommand="DELETE FROM [Codes] WHERE [Id] = @Id" InsertCommand="INSERT INTO [Codes] ([Manager_Name]) VALUES (@Manager_Name, @Created_Date)" SelectCommand="SELECT * FROM [Codes] WHERE [ProjProjectID] = 'DynamicValue'" UpdateCommand="UPDATE [Codes] SET [Manager_Name] = @Manager_Name, [Created_Date] = GETDATE() WHERE [Id] = @Id AND [ProjProjectID] = 'DynamicValue'" OnSelected="CodesDataSource_Selected">
<DeleteParameters>
<asp:Parameter Name="Id" Type="Int32"></asp:Parameter>
</DeleteParameters>
<InsertParameters>
<asp:Parameter Name="Manager_Name" Type="String"></asp:Parameter>
<asp:Parameter DbType="Date" Name="Created_Date"></asp:Parameter>
</InsertParameters>
<UpdateParameters>
<asp:Parameter Name="Manager_Name" Type="String"></asp:Parameter>
<asp:Parameter DbType="Date" Name="Created_Date"></asp:Parameter>
<asp:Parameter Name="Id" Type="Int32"></asp:Parameter>
</UpdateParameters>
</asp:SqlDataSource>
我希望能够将SqlDataSource全部移动到BackEnd,至少是参数,以便我可以在其中更改projProjectID。这就是我的尝试:
projProjectID = Request.QueryString["ProjProjectID"].ToString();
private void LoadSqlDataSource()
{
CodesDataSource.ConnectionString = ba.connection;
CodesDataSource.SelectCommand = "SELECT * FROM Codes WHERE ProjProjectID = '" + projProjectID + "'";
CodesDataSource.UpdateCommand = "UPDATE Codes SET Manager_Name = @Manager_Name, Created_Date = GETDATE() WHERE Id = @Id AND ProjProjectID = '" + projProjectID + "'";
//CodesDataSource.UpdateParameters.Add("Manager_Name", TypeCode.String, ___);
//CodesDataSource.UpdateParameters.Add("Created_Date", TypeCode.String, ___);
//CodesDataSource.UpdateParameters.Add("Id", TypeCode.String, ___);
}
____是发生错误的地方。它期待一个字符串值。我不知道该怎么做是让用户在gridview中编辑的特定值进入___。我只需要Manager_Name就可以工作。
非常感谢
答案 0 :(得分:0)
在事件gvCodes_RowUpdating中,处理像这样更新的功能。
protected void gvCodes_RowUpdating(object sender, GridViewUpdateEventArgs e)
{
GridViewRow row = (GridViewRow)gvCodes.Rows[e.RowIndex];
TextBox textID = (TextBox)row.Cells[0].Controls[0];
TextBox textDate = (TextBox)row.Cells[0].Controls[0];
TextBox textManagerName = (TextBox)row.Cells[0].Controls[0];
CodesDataSource.ConnectionString = ba.connection;
CodesDataSource.SelectCommand = "SELECT * FROM Codes WHERE ProjProjectID = '" + projProjectID + "'";
CodesDataSource.UpdateCommand = "UPDATE Codes SET Manager_Name = @Manager_Name, Created_Date = GETDATE() WHERE Id = @Id AND ProjProjectID = '" + projProjectID + "'";
CodesDataSource.UpdateParameters.Add("Manager_Name", TypeCode.String, textManagerName.Text);
CodesDataSource.UpdateParameters.Add("Created_Date", TypeCode.String, textDate.Text);
CodesDataSource.UpdateParameters.Add("Id", TypeCode.String, textID.Text);
}
建议:
使用参数有助于防止 SQL注入攻击,因此您应该将所有参数包括在projProjectID之内。此外,您应该在后端使用SqlCommand而不是SqlDataSource:
string updateStatement = "UPDATE Codes SET Manager_Name = @Manager_Name, Created_Date = GETDATE() WHERE Id = @Id AND ProjProjectID = @projectID";
using (SqlConnection connection = new SqlConnection(ConnectionString())
using (SqlCommand cmd = new SqlCommand(updateStatement, connection)) {
connection.Open();
cmd.Parameters.Add(new SqlParameter("@Manager_Name", textManagerName.Text));
cmd.Parameters.Add(new SqlParameter("@Created_Date", textDate.Text));
cmd.Parameters.Add(new SqlParameter("@Id", textID.Text));
cmd.Parameters.Add(new SqlParameter("@projectID", projProjectID));
cmd.ExecuteNonQuery();