如何將數據插入到asp.net網站的sql server中？

Question

我試圖插入數據到我的網站構建在SQL Server中的VS 2008中。爲此我使用了按鈕單擊事件。我嘗試了代碼顯示在YouTube上，但代碼無法正常工作。它在我的網站上顯示錯誤。

在.aspx.cs文件中的代碼是

public partial class _Default : System.Web.UI.Page 
{ 
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString); 

protected void Page_Load(object sender, EventArgs e) 
{ 
    conn.Open(); 
} 
protected void btnInsert_Click(object sender, EventArgs e) 
{ 
    SqlCommand cmd = new SqlCommand("insert into Insert values('"+txtCity.Text+"','"+txtFName.Text+"','"+txtLName.Text+"')",conn); 
    cmd.ExecuteNonQuery(); 
    conn.Close(); 
    Label1.Visible =true; 
    Label1.Text = "Your data inserted successfully"; 
    txtCity.Text = ""; 
    txtFName.Text = ""; 
    txtLName.Text = ""; 
} 

} `

Answer 1

好吧，讓我們來解決這個問題的代碼最多隻是一點點。你到達那裏：

var cnnString = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString; 
var cmd = "insert into Insert values(@City,@FName,@LName)"; 
using (SqlConnection cnn = new SqlConnection(cnnString)) 
{ 
    using (SqlCommand cmd = new SqlCommand(cmd, cnn)) 
    { 
     cmd.Parameters.AddWithValue("@City",txtCity.Text); 
     cmd.Parameters.AddWithValue("@FName",txtFName.Text); 
     cmd.Parameters.AddWithValue("@LName",txtLName.Text); 

     cnn.Open(); 
     cmd.ExecuteNonQuery(); 
    } 
} 

一些事情要注意修改後的代碼。

• 它利用using聲明確保資源妥善處置。
• 它的參數化確保SQL注入不可能。
• 它沒有存儲任何地方的連接對象，擺脫存儲的連接。

Answer 2

Creating procedure will avoid sql injection. 

SQL

Create procedure insert 
(@City,@FirstName,@LastName) 
{ 
insert into tablename (City,FName,LName) 
values(@City,@FirstName,@LastName) 
} 

C＃

SqlConnection con=new sqlconnection("give ur connection string here"); 
sqlcommand cmd=new sqlcommand(); 
con.open(); 
cmd=new sqlcommand("insert",con); 
cmd.commandtype=commandtype.storedprocedure; 
cmd.parameters.addwithvalue("@City",txtCity.text); 
cmd.parameters.addwithvalue("@FName",txtFName.text); 
cmd.parameters.addwithvalue("@LNAme",txtLName.text); 
cmd.ExecuteNonQuery(); 
con.close(); 

Answer 3

**

using System; 
using System.Collections.Generic; 
using System.Linq; 
using System.Web; 
using System.Web.UI; 
using System.Web.UI.WebControls; 
using System.Data; 
using System.Data.SqlClient; 
public partial class _Default : System.Web.UI.Page 
{ 
    SqlConnection con = new SqlConnection("Data Source=.\\SQLEXPRESS;Initial Catalog=mrinmoynandy;User ID=**;Password=****"); 
    protected void Page_Load(object sender, EventArgs e) 
    { 
    } 
    protected void SumbitBtn_Click(object sender, EventArgs e) 
    { 
     SqlCommand cmd = new SqlCommand("insert into streg(Name,Father,Mother,Dob,Sex,Category,Maritial,Vill,Po,Ps,Dist,State,Pin,Country) values (@name,@father,@mother,@dob,@sex,@category,@maritial,@vill,@po,@ps,@dist,@state,@pin,@country)", con); 
     cmd.Parameters.AddWithValue(@"name", StNumTxt.Text); 
     cmd.Parameters.AddWithValue(@"father", FatNumTxt.Text); 
     cmd.Parameters.AddWithValue(@"mother", MotNumTxt.Text); 
     cmd.Parameters.AddWithValue(@"dob", DobRdp.SelectedDate); 
     cmd.Parameters.AddWithValue(@"sex", SexDdl.SelectedItem.Text); 
     cmd.Parameters.AddWithValue(@"category", CategoryDdl.SelectedItem.Text); 
     cmd.Parameters.AddWithValue(@"maritial", MaritialRbl.SelectedItem.Text); 
     cmd.Parameters.AddWithValue(@"vill", VillTxt.Text); 
     cmd.Parameters.AddWithValue(@"po", PoTxt.Text); 
     cmd.Parameters.AddWithValue(@"ps", PsTxt.Text); 
     cmd.Parameters.AddWithValue(@"dist", DistDdl.SelectedItem.Text); 
     cmd.Parameters.AddWithValue(@"state", StateTxt.Text); 
     cmd.Parameters.AddWithValue(@"pin", PinTxt.Text); 
     cmd.Parameters.AddWithValue(@"country", CountryTxt.Text); 
     con.Open();   
     con.Close();   
    } 
} 
Thanks 
Mrinmoy Nandy 
Phone No.: +91 9800451398 

**