我將如何將其保存到存儲過程?並在C#中運行存儲過程?轉換爲存儲過程
string a = "Select * from EmpTable Where EmpName Like @SearchItem";
using (SqlCommand SqlCommand = new SqlCommand(" "+ a +" ", myDatabaseConnection))
{
SqlCommand.Parameters.AddWithValue("@SearchItem", "%" + textBox1.Text + "%");
}
存儲過程:
CREATE PROCEDURE SearchSP
@SearchItem nvarchar(MAX)
AS
BEGIN
Select *
from EmpTable
Where EmpName Like '%' + @SearchItem + '%'
END
GO
代碼:
using (SqlCommand cmd= new SqlCommand("SearchSP", myDatabaseConnection))
{
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.AddWithValue("@SearchItem", textBox1.Text);
//rest of the code
}
@BlackTigerX - 我將如何轉換它以避免sqlinjection? –
@BlackTigerX :)使用'Parameters'防止SQL注入,有什麼其他的,請解釋一下,否則這只是意味着較少的評論 – Damith
這將是你的存儲過程,(沒有測試的代碼):
CREATE PROCEDURE TestStoredProc
@SearchItem nvarchar(MAX)
AS
BEGIN
SET NOCOUNT ON;
Select *
from EmpTable
Where EmpName Like '%' + @SearchItem + '%'
END
GO
然後在代碼方面做到這一點:
using (var conn = new SqlConnection(connectionString))
using (var command = new SqlCommand("TestStoredProc", conn) {
CommandType = CommandType.StoredProcedure, Parameters.AddWithValue("@SearchItem",textbox.Text)}) {
}
可能不應該是'ExecuteNonQuery',因爲它是一個查詢權限。 – Magnus
你說什麼是你想要的字符串消失,並調用存儲過程,而不是有這個SQL代碼裏面?如果是這樣的話..
。假定的SQL Server 2008 Management Studio中..
Management Studio中擴大您的「數據庫」,然後展開「可編程」 ... 右擊創建新的存儲程序並刪除裏面的所有代碼。
然後輸入以下內容。
USE [YourDataBaseName]
GO
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE PROCEDURE [dbo].[AnyName]
@SearchItem as nvarchar(MAX)
AS
Select * from EmpTable Where EmpName Like @SearchItem
點擊運行/執行,並刷新你的數據庫,如果你在存儲過程的文件夾看看,你應該看到新的存儲過程。
然後在您的(設定C#.Net)代碼中。
public string GetUserFinal(string _userInput)
{
string temp = "";
using (SqlConnection myConn = new SqlConnection(Conn))
{
using (SqlCommand myCommand = new SqlCommand())
{
myCommand.CommandType = CommandType.StoredProcedure;
myCommand.CommandText = "dbo.your procedure name";
myCommand.Parameters.AddWithValue("@SearchItem", _userInput);
SqlDataReader reader = myCommand.ExecuteReader();
myCommand.Connection = myConn;
While (reader.read())
{
//populate a string? or do something else?
}
}
}
return temp;
}
一個更好的辦法是強類型這一切。所以我會創建一個你現在的字段和類型的模型,然後創建一個列表並遍歷該列表以從該函數綁定。但是,正如你所看到的基礎知識,這應該只是檢查語法。
創建一個存儲過程類似下面:
Create Procedure dbo.Test
@SearchItem
AS
BEGIN
BEGIN TRY
IF EXISTS(SELECT 1 FROM dbo.Table WHERE EmpName LIKE '%'[email protected]+'%')
SELECT * FROM dbo.Table WHERE EmpName LIKE '%'[email protected]+'%'
END TRY
BEGIN CATCH
SELECT ERROR_NUMBER() AS 'ErrorNumber', ERROR_MESSAGE() AS 'ErrorMessage', ERROR_SEVERITY() AS 'ErrorSeverity', ERROR_STATE() AS 'ErrorState', ERROR_LINE() AS 'ErrorLine'
RETURN ERROR_NUMBER()
END CATCH
END
現在,您可以參考代碼隱藏下面這個SP:
SqlConnection xconn=new SqlConnection(Write your connection string);
SqlCommand xcommand=new SqlCommand("Test",xconn);
xcommand.CommandType=CommandType.StoredProcedure;
xcommand.Parameters.AddWithValue("@SearchItem",DbType.String,txtBox1.Text);
xconn.Open();
xCommand.ExecuteNonQuery();
xconn.Close();
您希望創建與查詢和調用存儲過程從代碼? –
@GianAcuna - 是:) –