我的代碼:它說command.ExecuteNonQuery()未初始化
// Get Connection String
string conn = WebConfigurationManager.ConnectionStrings["GraduatesConnectionString"].ToString();
// Create connection object
SqlConnection connection = new SqlConnection(conn);
SqlCommand command = connection.CreateCommand();
try
{
// Open the connection.
connection.Open();
// Execute the insert command.
command.CommandText = ("INSERT INTO PersonalInfo(Id,Name,LastName,ContactNumber, Address,Gender, Date_Of_Birth) VALUES(\'"
+ (this.txtID.Text + ("\',\'"
+ (this.txtName.Text + ("\',\'"
+ (this.txtLastName.Text + ("\',\'"
+ (this.txtContactNumber.Text + ("\',\'"
+ (this.txtAddress.Text + ("\',\'"
+ (this.gender + ("\',\'"
+ (this.txtDateofBirth.Text + ("\',\'"
)))));
command.ExecuteNonQuery();
}
finally
{
// Close the connection.
connection.Close();
}
**馬上停下來,**去,瞭解SQL注入,以及如何參數化查詢中 – podiluska
包裝你'SqlConnection' /'的SqlCommand '在[使用聲明]中(http://msdn.microsoft.com/en-us/library/yh598w02.aspx)。 – James
http://stackoverflow.com/questions/601300/what-is-sql-injection – Paddy