1. 首頁
  2. 問答
  3. winform C#使用sql server 2008

winform C#使用sql server 2008

2014-02-19 80 views
0

我有一個數據庫的問題我在c#中使用winform時,我通過表單創建名稱列中的數據之前創建一個空間,所以我想刪除它,任何人都可以幫我 name column has數據類型爲varchar而接觸不具有數字類型就不會創造空間之前winform C#使用sql server 2008

我的代碼:

private void btnAddNew_Click(object sender, EventArgs e) 
{ 
     string Gender = ""; 

     if (radioButton1.Checked) 
     { 
      Gender = "Male"; 
     } 
     else if (radioButton2.Checked) 
     { 
      Gender = "Female"; 
     } 

     if (txtName.Text == "") 
     { 
      MessageBox.Show("Enter the customer name.", "Dairy Management System", MessageBoxButtons.OK, MessageBoxIcon.Stop); 
      txtName.Focus(); 
     } 
     else if (Gender == "") 
     { 
      MessageBox.Show("Enter the gender.", "Dairy Management System", MessageBoxButtons.OK, MessageBoxIcon.Stop); 
      grpGender.Focus(); 
     } 
     else if (txtAddress.Text == "") 
     { 
      MessageBox.Show("Enter the Address.", "Dairy Management System", MessageBoxButtons.OK, MessageBoxIcon.Stop); 
      txtAddress.Focus(); 
     } 
     else if (txtContact.Text == "") 
     { 
      MessageBox.Show("Enter Contact No.", "Dairy Management System", MessageBoxButtons.OK, MessageBoxIcon.Stop); 
      txtContact.Focus(); 
     } 
     else 
     { 
      SqlConnection con = new SqlConnection("Data Source=RANJEETMAURYA;Initial Catalog=Project;Integrated Security=True"); 
      con.Open(); 

      SqlCommand cmd = new SqlCommand(@"INSERT INTO CustomerDetails 
        (Date, Contact_No, Name, Gender, Address, Email_ID) 
VALUES(' " + this.dateTimePicker1.Value.ToString("MM/dd/yyyy") + " ',' " + txtName.Text + " ',' " + Gender + " ',' " + txtAddress.Text + " ',' " + txtContact.Text + " ',' " + txtEmail.Text + " ')", con); 
      cmd.ExecuteNonQuery(); 
      con.Close(); 
      MessageBox.Show("Customer Information Added Successfully.", "Dairy Management System", MessageBoxButtons.OK, MessageBoxIcon.Information); 
      SQLFunctions.Refresh(this.dataGridView1); 
      clear(); 
     } 
}

來源

2014-02-19 user3327117

+0

可以顯示的代碼,你試過嗎?表單中的輸入是否已獲得空間,或者您認爲它是按照您的說法添加的? – owen79

+0

如果你能展示一個例子,可能會有所幫助。它不清楚你的意思。 – Fred

+2

[SQL注入警報](http://msdn.microsoft.com/en-us/library/ms161953%28v=sql.105%29.aspx) - 你應該**不**連接你的SQL語句 - 使用**參數化查詢**,而不是爲了避免SQL注入 –

回答

1

問題:你增加額外的空間,而在INSERT INTO聲明如下提供的參數值:

 | 
     | 
     > 
VALUES(' " + this.dateTimePicker1.Value.ToString("MM/dd/yyyy") + " ',' " + txtName.Text  
+ " ',' " + Gender + " ',' " + txtAddress.Text + " ',' " + txtContact.Text + " ',' " +  
txtEmail.Text + " ')", con);

建議:查詢是開放的SQL注入攻擊的攻擊,所以我會建議你使用參數化的查詢,以避免它們。

試試這個:使用Parameterised Queries

替換此:

SqlCommand cmd = new SqlCommand(@"INSERT INTO CustomerDetails 
(Date, Contact_No, Name, Gender, Address, Email_ID) 
VALUES(' " + this.dateTimePicker1.Value.ToString("MM/dd/yyyy") + " ',' " + txtName.Text + " ',' " + Gender + " ',' " + txtAddress.Text + " ',' " + txtContact.Text + " ',' " + txtEmail.Text + " ')", con);

這一點:

SqlCommand cmd = new SqlCommand(@"INSERT INTO CustomerDetails 
    (Date, Contact_No, Name, Gender, Address, Email_ID) 
    VALUES(@Date,@Contact,,@Name,@Gender,@Address,@Email)", con); 

cmd.Parameters.AddWithValue("@Date",this.dateTimePicker1.Value.ToString("MM/dd/yyyy")); 
cmd.Parameters.AddWithValue("@Contact",txtContact.Text); 
cmd.Parameters.AddWithValue("@Name",txtName.Text); 
cmd.Parameters.AddWithValue("@Gender",Gender); 
cmd.Parameters.AddWithValue("@Address", txtAddress.Text); 
cmd.Parameters.AddWithValue("@Email", txtEmail.Text);

來源

2014-02-19 08:39:12

+0

,但我如何使用它我已經寫了我的代碼 – user3327117

+0

@ user3327117:檢查我編輯的答案 –

0

空格去掉

" ',' " + txtName.Text.Trim() + " ',' " + Gender + " ',' " 


"','" + txtName.Text.Trim() + "','" + Gender + "','"

但你最好刪除所有這些字符串連接並開始使用SQL參數在該行

VALUES(' " + this.dateTimePicker1.Value.ToString("MM/dd/yyyy") + " ',' " + txtName.Text + " ',' " + Gender + " ',' " + txtAddress.Text + " ',' " + txtContact.Text + " ',' " + txtEmail.Text + " ')", con);

你已經把一個空間之前和單引號後

來源

2014-02-19 08:43:59 Damith

0

的樣子。例如

' " + this.dateTimePicker1.Value.ToString("MM/dd/yyyy") + " ',

其實你已經指定後的空間,所有的賦值之前。

順便說一句,這不是插入/更新/刪除數據庫操作的好方法。您應該使用括號查詢。

SqlCommand Cmd = Connection.CreateCommand(); 
Cmd.CommandText = "Insert Into [TableName](Column1,Column2,Column3)Values(@Column1,Column2,Column3)"; 
Cmd.Parameters.Add("@@Column1", SqlDbType.Int).Value = 1; 
Cmd.Parameters.Add("@@Column1", SqlDbType.Varchar).Value = "Shell"; 
Cmd.Parameters.Add("@@Column1", SqlDbType.SmallDateTime).Value = System.DateTime.Now; 
Cmd.ExecuteNonQuery();

來源

2014-02-19 08:45:56 Shell

0

「'」之後有一些額外的空格。刪除它們,因爲它會直接插入到數據庫中。

使用此:

SqlCommand cmd = new SqlCommand(@"INSERT INTO CustomerDetails 
        (Date, Contact_No, Name, Gender, Address, Email_ID) 
VALUES('" + this.dateTimePicker1.Value.ToString("MM/dd/yyyy") + "','" + txtName.Text + "','" + Gender + "','" + txtAddress.Text + "','" + txtContact.Text + "','" + txtEmail.Text + "')", con); 
      cmd.ExecuteNonQuery(); 
      con.Close(); 
      MessageBox.Show("Customer Information Added Successfully.", "Dairy Management System", MessageBoxButtons.OK, MessageBoxIcon.Information); 
      SQLFunctions.Refresh(this.dataGridView1); 
      clear();

來源

2014-02-19 08:48:08

相關問題

 相關問題