1. 首頁
  2. 問答
  3. 如何在Visual Studio中編寫SQL查詢?

如何在Visual Studio中編寫SQL查詢?

2017-01-23 22 views
0

我想在Visual Studio中編寫所有插入,選擇和刪除查詢,但我不知道如何編寫它們。如何在Visual Studio中編寫SQL查詢?

SqlConnection con = new SqlConnection("Data Source=5CG50749V3\\SQLEXPRESS;Initial Catalog=test;Integrated Security=True"); 
con.Open(); 

SqlCommand cmd = new SqlCommand("INSERT INTO backup(Option,EquipmentID,SerialNumber,Description,Location,DueDate,DaytoDue,EquipmentWithdraworRemarks,NCRorOOTHistory,LastOOTissuanceDate,AvailableinSapphire,ResponsiblePerson,CalibrationOption,CalibrationSourceorLab,YearofManufacturing,ManufacturerorVendor,CalibrationCost,AssetNo,CalibrationTAT,SendInDate,Status), SELECT * FROM Equipment where (SerialNumber = '" + TextBox2.Text + "' or EquipmentID = '" + TextBox1.Text + "'), DELETE FROM Equipment where (SerialNumber = '" + TextBox2.Text + "' or EquipmentID = '" + TextBox1.Text + "')", con); 

cmd.ExecuteNonQuery(); 
con.Close();

來源

2017-01-23 naz Edyra

+2

使用參數請... –

+3

[SQL注入警報(http://msdn.microsoft.com/en-us/library/ms161953 %28v = sql.105%29.aspx) - 你應該不**連接你的SQL語句 - 使用**參數化查詢**來代替以避免SQL注入 –

+0

改爲使用** Entity Framework **,不必再自己寫SQL了! –

回答

1

爲此,您可以使用參數化查詢象下面這樣:

string connectionstring = "Data Source=5CG50749V3\\SQLEXPRESS;Initial Catalog=test;Integrated Security=True"; 
      using (SqlConnection connection = new SqlConnection(connectionstring)) 
      { 

       string sql = @"INSERT IntO [backup](Option,EquipmentID,SerialNumber,Description,Location, 
           DueDate,DaytoDue,EquipmentWithdraworRemarks,NCRorOOTHistory,LastOOTissuanceDate, 
           AvailableinSapphire,ResponsiblePerson,CalibrationOption,CalibrationSourceorLab, 
           YearofManufacturing,ManufacturerorVendor,CalibrationCost,AssetNo,CalibrationTAT,SendInDate,Status) 
           SELECT * FROM Equipment where SerialNumber = @serialnumber or EquipmentID = @equipmentId; 
           DELETE FROM Equipment where SerialNumber = @serialnumber or EquipmentID = @equipmentId"; 
       using (SqlCommand command = new SqlCommand(sql, connection)) 
       { 
        command.Parameters.Add("@serialnumber", SqlDbType.NVarChar).Value = "testSerialNumber"; 
        command.Parameters.Add("@equipmentId", SqlDbType.NVarChar).Value = "testequipmentid"; 
        connection.Open(); 
        command.ExecuteNonQuery(); 
        connection.Close(); 
       } 

      }

來源

2017-01-23 07:38:30 Amir

+0

@ naz-Edyra,如果有任何混淆請讓我知道。 – Amir

+0

謝謝:)。我會先嚐試一下。 –

+0

爲插入查詢,實際上我不知道每列的值。用戶將根據序列號或設備ID搜索數據。所以數據將基於它出現。但並非所有數據都會顯示給用戶。一些數據只存儲在sql服務器中。但是我想移動所有出現給用戶並存儲在sql server中的數據。所以爲了價值,我應該放什麼?它是列名? @Amir –

1

SqlCommand(String)方法只接受一個參數,並使用查詢的文本初始化SqlCommand類的新實例。

來源

2017-01-23 06:28:54

相關問題

 相關問題