我有一個供用戶輸入數據的提交頁面。然後我重定向到一個視圖頁面,以便他們可以查看他們的輸入。會議已經結束,因爲這將是一個高容量的網站,但我在提交命令結束時使用了範圍標識方法。如何查詢範圍ID值,以便行數據顯示在我的查看頁面中?查詢字符串來調用SCOPE_IDENTITY的行數據
代碼如下:這是一個培訓項目,爲了簡單起見,我明確禁止參數化。但是,是的,我知道參與式是要走的路。
protected void Button1_Click(object sender, EventArgs e)
{
string connectionString = System.Configuration.ConfigurationManager.ConnectionStrings["MyConnectionString"].ConnectionString;
String thisQuery = "INSERT INTO ProductInstance (CustId, CustName, SicNaic, CustAdd, CustCity, CustState, CustZip, BroId, BroName, BroAdd, BroCity, BroState, BroZip, EntityType, Coverage, CurrentCoverage, PrimEx, Retention, EffectiveDate, Commission, Premium, Comments) VALUES ('" + TextBox19.Text + "', '" + TextBox1.Text + "', '" + RadioButtonList1.SelectedItem + "', '" + TextBox2.Text + "', '" + TextBox3.Text + "', '" + DropDownList1.SelectedItem + "', '" + TextBox4.Text + "', '" + TextBox18.Text + "', '" + TextBox5.Text + "', '" + TextBox6.Text + "', '" + TextBox7.Text + "', '" + DropDownList2.SelectedItem + "', '" + TextBox8.Text + "', '" + DropDownList3.SelectedItem + "','" + TextBox9.Text + "','" + TextBox10.Text + "','" + TextBox11.Text + "','" + TextBox12.Text + "','" + TextBox20.Text + "','" + TextBox14.Text + "','" + TextBox15.Text + "','" + TextBox16.Text + "'); SELECT SCOPE_IDENTITY() AS [lastInsertedProductId]";
using (SqlConnection sqlConn = new SqlConnection(connectionString))
{
sqlConn.Open();
using (SqlCommand command = new SqlCommand(thisQuery, sqlConn))
{
int lastInsertedProductId = Convert.ToInt32(command.ExecuteScalar());
}
}
Response.Redirect("~/View.aspx");
,然後查看頁面代碼是在這裏:
protected void Page_Load(object sender, EventArgs e)
{
string x = Request.QueryString["ProductId"];
string connectionString = System.Configuration.ConfigurationManager.ConnectionStrings["MyConnectionString"].ConnectionString;
string editQuery = "SELECT CustId, CustName, SicNaic, CustCity, CustAdd, CustState, CustZip, BroName, BroId, BroAdd, BroCity, BroState, BroZip, EntityType, Coverage, CurrentCoverage, PrimEx, Retention, EffectiveDate, Commission, Premium, Comments FROM ProductInstance WHERE ProductId =" + x;
using (SqlConnection editConn = new SqlConnection(connectionString))
{
editConn.Open();
using (SqlCommand command = new SqlCommand(editQuery, editConn))
{
SqlDataReader dr = command.ExecuteReader();
dr.Read();
Label6.Text = dr.GetInt32(0).ToString();
停止一切現在閱讀:http://en.wikipedia.org/wiki/SQL_injection #Parameterized_statements – 2011-04-19 17:33:45
哈哈哈是的,是的,我已閱讀文章,並參考它或類似的東西就幾乎所有的問題。該網站不是用於實際部署的,正如我在我的問題中提到的,我的培訓師_expressly禁止我參數化,因爲他希望我可以專注於理解基礎知識,同時仍然可以完成此項目。不過,我真的很感激大家如何跳出來指出這一點。它表現出真誠的善意。 – 2011-04-19 17:39:58
您應該考慮查看ORM(如EF或NHibernate)。 – 2011-04-19 17:40:34