2013-07-25 141 views
2

我將如何將其保存到存儲過程?並在C#中運行存儲過程?轉換爲存儲過程

string a = "Select * from EmpTable Where EmpName Like @SearchItem"; 

using (SqlCommand SqlCommand = new SqlCommand(" "+ a +" ", myDatabaseConnection)) 
{ 
    SqlCommand.Parameters.AddWithValue("@SearchItem", "%" + textBox1.Text + "%"); 
} 
+0

您希望創建與查詢和調用存儲過程從代碼? –

+0

@GianAcuna - 是:) –

回答

0

存儲過程:

CREATE PROCEDURE SearchSP 
@SearchItem nvarchar(MAX) 
AS 
BEGIN 

    Select * 
    from EmpTable 
    Where EmpName Like '%' + @SearchItem + '%' 

END 
GO 

代碼:

using (SqlCommand cmd= new SqlCommand("SearchSP", myDatabaseConnection)) 
{ 
    cmd.CommandType = CommandType.StoredProcedure; 
    cmd.Parameters.AddWithValue("@SearchItem", textBox1.Text); 
    //rest of the code 
} 
+0

@BlackTigerX - 我將如何轉換它以避免sqlinjection? –

+1

@BlackTigerX :)使用'Parameters'防止SQL注入,有什麼其他的,請解釋一下,否則這只是意味着較少的評論 – Damith

-1

這將是你的存儲過程,(沒有測試的代碼):

CREATE PROCEDURE TestStoredProc 
    @SearchItem nvarchar(MAX) 
AS 
BEGIN 

    SET NOCOUNT ON; 

    Select * 
    from EmpTable 
    Where EmpName Like '%' + @SearchItem + '%' 

END 
GO 

然後在代碼方面做到這一點:

using (var conn = new SqlConnection(connectionString)) 
using (var command = new SqlCommand("TestStoredProc", conn) { 
CommandType = CommandType.StoredProcedure, Parameters.AddWithValue("@SearchItem",textbox.Text)}) { 

} 
+2

可能不應該是'ExecuteNonQuery',因爲它是一個查詢權限。 – Magnus

0

你說什麼是你想要的字符串消失,並調用存儲過程,而不是有這個SQL代碼裏面?如果是這樣的話..

。假定的SQL Server 2008 Management Studio中..

Management Studio中擴大您的「數據庫」,然後展開「可編程」 ... 右擊創建新的存儲程序並刪除裏面的所有代碼。

然後輸入以下內容。

USE [YourDataBaseName] 
GO 
SET ANSI_NULLS ON 
GO 
SET QUOTED_IDENTIFIER ON 
GO 
CREATE PROCEDURE [dbo].[AnyName] 
@SearchItem as nvarchar(MAX) 
AS 
Select * from EmpTable Where EmpName Like @SearchItem 

點擊運行/執行,並刷新你的數據庫,如果你在存儲過程的文件夾看看,你應該看到新的存儲過程。

然後在您的(設定C#.Net)代碼中。

public string GetUserFinal(string _userInput) 
{ 
    string temp = ""; 
    using (SqlConnection myConn = new SqlConnection(Conn)) 
    { 
     using (SqlCommand myCommand = new SqlCommand()) 
     { 
      myCommand.CommandType = CommandType.StoredProcedure; 
      myCommand.CommandText = "dbo.your procedure name"; 
      myCommand.Parameters.AddWithValue("@SearchItem", _userInput); 
      SqlDataReader reader = myCommand.ExecuteReader(); 
      myCommand.Connection = myConn; 
      While (reader.read()) 
      { 
       //populate a string? or do something else? 
      } 
     } 
    } 
    return temp; 
} 

一個更好的辦法是強類型這一切。所以我會創建一個你現在的字段和類型的模型,然後創建一個列表並遍歷該列表以從該函數綁定。但是,正如你所看到的基礎知識,這應該只是檢查語法。

0

創建一個存儲過程類似下面:

Create Procedure dbo.Test 
@SearchItem 
AS 
BEGIN 
BEGIN TRY 
IF EXISTS(SELECT 1 FROM dbo.Table WHERE EmpName LIKE '%'[email protected]+'%') 
     SELECT * FROM dbo.Table WHERE EmpName LIKE '%'[email protected]+'%' 
END TRY 
BEGIN CATCH 
SELECT ERROR_NUMBER() AS 'ErrorNumber', ERROR_MESSAGE() AS 'ErrorMessage', ERROR_SEVERITY() AS 'ErrorSeverity', ERROR_STATE() AS 'ErrorState', ERROR_LINE() AS 'ErrorLine' 
RETURN ERROR_NUMBER() 
END CATCH 
END 

現在,您可以參考代碼隱藏下面這個SP:

SqlConnection xconn=new SqlConnection(Write your connection string); 
SqlCommand xcommand=new SqlCommand("Test",xconn); 
xcommand.CommandType=CommandType.StoredProcedure; 
xcommand.Parameters.AddWithValue("@SearchItem",DbType.String,txtBox1.Text); 
xconn.Open(); 
xCommand.ExecuteNonQuery(); 
xconn.Close();