我在数据访问tire中有一个由业务tire调用并由演示文稿tire调用的函数。我想我已经正确编写了代码并多次查看但无法找到错误。这是我的代码:
public void insertdataintoproducttable(string prname, string prpricpe, string prdescription, string catogory, string image1url, string image2url, string image3url)
{
SqlDataAdapter sqladpter = new SqlDataAdapter("insert into Product_Table(prname,prprice,prdescription,catogory,image1url,image2url,image3url) values('" + prname + "','" + prpricpe + "','" + prdescription + "',''"+catogory+",'" + image1url + "','" + image2url + "','" + image3url + "')", sqlcon);
DataTable dt = new DataTable();
sqladpter.Fill(dt);
}
答案 0 :(得分:0)
请考虑以下代码。除了说明如何使用ADO.NET执行SQL命令之外,它还说明了为保护系统免受SQL注入攻击而必须采取的一些措施,以及一些被认为是现代C#程序良好实践的事情。
此代码不完整。您可能应该使用错误处理程序来捕获可能发生的错误并适当地处理它们。
// Declare the function.
// As a good practice, use Pascal-casing for function/method names.
// As a good practice, use camel-casing for parameter names.
// Instead of passing in a SQL connection, pass a SQL connection string so that the connection
// can be opened and closed quickly.
// This also takes advantage of connection pooling.
public void InsertDataIntoProductTable(string prName, string prPrice, string prDescription, string category, string image1Url, string image2Url, string image3Url, string connectionString)
{
// Construct a parameterized SQL INSERT query.
// Parameterized queries MUST be used to protect our systems from SQL injection attacks.
// Use string construction so that the query is readable.
string query = "INSERT Product_Table( " +
"prname" +
",prprice" +
",prdescription" +
",category" +
",image1url" +
",image2url" +
",image3url" +
") values(" +
"@prname" +
",@prprice" +
",@prdescription" +
",@category" +
",@image1url" +
",@image2url" +
",@image3url" +
")";
// Create a SqlConnection object.
// Use a using statement to insure that the SqlConnection object is closed and disposed off when finished.
using(conn = new SqlConnection(connectionString))
{
// Create a SqlCommand object to execute the query.
// Use a using statement to insure that the SqlCommand object is disposed when finished
using(cmd = new SqlCommand(query, conn))
{
// Add parameters and their values to the SqlCommand object
cmd.Parameters.AddWithValue(@prname, prName);
cmd.Parameters.AddWithValue(@prprice, prPrice);
cmd.Parameters.AddWithValue(@prdescription, prDescription);
cmd.Parameters.AddWithValue(@catogory, category);
cmd.Parameters.AddWithValue(@image1url, image1Url);
cmd.Parameters.AddWithValue(@image2url, image2Url);
cmd.Parameters.AddWithValue(@image3url, image3Url);
// Open the database connection
conn.Open();
// Execute the SqlCommand.
// Save the count of records inserted, if of interest to you.
int recordAffectedCount = cmd.ExecuteNonQuery();
}
}
}