如何在 C# 中将 dataGridView 行文本插入数据库
How to insert dataGridView row text into database in c#
我正在尝试将完整的 table 文本传输到我的数据库中,我想我可以使用 foreach 循环。但我最终得到了一个错误。
这是我目前的代码:
private void button1_Click(object sender, EventArgs e){
foreach (DataGridViewRow dr in dataGridView1.Rows)
{
string constring = "Data Source = localhost; port = 3306; username = root; password = 0159";
string Query = "Update TopShineDB.Table1 set Time = '" + dr.Cells[0].Value + "', CarColorNumber = '" + dr.Cells[1].Value + "', Interior = '" + dr.Cells[2].Value + "', Exterior = '" + dr.Cells[3].Value + "', CPlastic = '" + dr.Cells[4].Value + "', MPlastic = '" + dr.Cells[5].Value + "', SPlastic = '" + dr.Cells[6].Value + "', PlasticB = '" + dr.Cells[7].Value + "', WashExt = '" + dr.Cells[8].Value + "', WashEng = '" + dr.Cells[9].Value + "', WashTrunk = '" + dr.Cells[10].Value + "', WashSeats = '" + dr.Cells[11].Value + "', SeatsRmv = '" + dr.Cells[12].Value + "', SeatsFit = '" + dr.Cells[13].Value + "', Notes = '" + dr.Cells[14].Value + "', where Time = '" + dr.Cells[0].Value + "' ;";
MySqlConnection conn = new MySqlConnection(constring);
MySqlCommand command = new MySqlCommand(Query, conn);
MySqlDataReader myReader;
try
{
conn.Open();
myReader = command.ExecuteReader();
MessageBox.Show("Worker Successfully Added");
while (myReader.Read())
{
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
}
当我 运行 应用程序时,我在错误框中收到此错误:
you have an error in your sql syntax check the manual that corresponds to your mysql server version for the right syntax to use near '(Time, CarColorNumber, Interior, Exterior, CPlastic,...)
我做错了什么?
感谢您的帮助。
正如我在上面的评论中所解释的那样,您有一个语法错误,因为 WHERE 语句之前有一个逗号。但仅删除该逗号并不能解决您的问题,因为 TIME 一词是保留关键字,您不应该这样做用它作为你的列名。这个问题可以通过在关键字前后添加反引号 ` 来解决。 (或者最好更改列名)
但是,连接字符串以形成您的 sql 文本会产生其他可能的错误,因为如果您的任何输入值包含单引号,那么您的代码构建的整个字符串将再次变为无效 sql文本。
此外,字符串连接方法的最严重问题是允许恶意用户使用一种名为 Sql Injection 的众所周知的黑客技术。
要一劳永逸地解决所有问题,您应该尝试编写一个像这样的参数化查询
private void button1_Click(object sender, EventArgs e)
{
string constring = "Data Source = localhost; port = 3306; username = root; password = 0159";
// Prepare a string where you insert parameter's placeholders instead of
// concatenating the grid values....
string Query = @"Update TopShineDB.Table1 set CarColorNumber = @CarColorNumber, Interior = @Interior,
Exterior = @Exterior , CPlastic = @CPlastic, MPlastic = @MPlastic, SPlastic = @SPlastic,
PlasticB = @PlasticB, WashExt = @WashExt, WashEng = @WashEng, WashTrunk = @WashTrunk,
WashSeats = @WashSeats, SeatsRmv = @SeatsRmv, SeatsFit = @SeatsFit, Notes = @Notes
where `Time` = @Time";
// Using statement around connection and command to destroy
// these objects at the end of the using block
using(MySqlConnection conn = new MySqlConnection(constring))
using(MySqlCommand command = new MySqlCommand(Query, conn))
{
conn.Open();
// Create the list of parameters required by the query
// Notice that you should use the appropriate MySqlDbType
// for the field receiving the value.
command.Parameters.Add("@Time", MySqlDbType.VarChar);
command.Parameters.Add("@CarColorNumber", MySqlDbType.VarChar);
..... create all the other parameters leaving the value null
try
{
foreach(DataGridViewRow dr in dataGridView1.Rows)
{
// Inside the loop update the parameters' values
// with data extracted by the current row...
command.Parameters["@Time"].Value = dr.Cells[0].Value;
command.Parameters["@CarColorNumber"].Value = dr.Cells[1].Value;
..... set the value for all other parameters ....
// ExecuteNonQuery for INSERT/UPDATE/DELETE,
// ExecuteReader works but it is specific for reading
command.ExecuteNonQuery();
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
}
}
另一点需要注意的是时间字段的更新。它使用您在 where 子句中使用的相同值进行更新,因此无需更新它。
我正在尝试将完整的 table 文本传输到我的数据库中,我想我可以使用 foreach 循环。但我最终得到了一个错误。
这是我目前的代码:
private void button1_Click(object sender, EventArgs e){
foreach (DataGridViewRow dr in dataGridView1.Rows)
{
string constring = "Data Source = localhost; port = 3306; username = root; password = 0159";
string Query = "Update TopShineDB.Table1 set Time = '" + dr.Cells[0].Value + "', CarColorNumber = '" + dr.Cells[1].Value + "', Interior = '" + dr.Cells[2].Value + "', Exterior = '" + dr.Cells[3].Value + "', CPlastic = '" + dr.Cells[4].Value + "', MPlastic = '" + dr.Cells[5].Value + "', SPlastic = '" + dr.Cells[6].Value + "', PlasticB = '" + dr.Cells[7].Value + "', WashExt = '" + dr.Cells[8].Value + "', WashEng = '" + dr.Cells[9].Value + "', WashTrunk = '" + dr.Cells[10].Value + "', WashSeats = '" + dr.Cells[11].Value + "', SeatsRmv = '" + dr.Cells[12].Value + "', SeatsFit = '" + dr.Cells[13].Value + "', Notes = '" + dr.Cells[14].Value + "', where Time = '" + dr.Cells[0].Value + "' ;";
MySqlConnection conn = new MySqlConnection(constring);
MySqlCommand command = new MySqlCommand(Query, conn);
MySqlDataReader myReader;
try
{
conn.Open();
myReader = command.ExecuteReader();
MessageBox.Show("Worker Successfully Added");
while (myReader.Read())
{
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
}
当我 运行 应用程序时,我在错误框中收到此错误:
you have an error in your sql syntax check the manual that corresponds to your mysql server version for the right syntax to use near '(Time, CarColorNumber, Interior, Exterior, CPlastic,...)
我做错了什么? 感谢您的帮助。
正如我在上面的评论中所解释的那样,您有一个语法错误,因为 WHERE 语句之前有一个逗号。但仅删除该逗号并不能解决您的问题,因为 TIME 一词是保留关键字,您不应该这样做用它作为你的列名。这个问题可以通过在关键字前后添加反引号 ` 来解决。 (或者最好更改列名)
但是,连接字符串以形成您的 sql 文本会产生其他可能的错误,因为如果您的任何输入值包含单引号,那么您的代码构建的整个字符串将再次变为无效 sql文本。
此外,字符串连接方法的最严重问题是允许恶意用户使用一种名为 Sql Injection 的众所周知的黑客技术。
要一劳永逸地解决所有问题,您应该尝试编写一个像这样的参数化查询
private void button1_Click(object sender, EventArgs e)
{
string constring = "Data Source = localhost; port = 3306; username = root; password = 0159";
// Prepare a string where you insert parameter's placeholders instead of
// concatenating the grid values....
string Query = @"Update TopShineDB.Table1 set CarColorNumber = @CarColorNumber, Interior = @Interior,
Exterior = @Exterior , CPlastic = @CPlastic, MPlastic = @MPlastic, SPlastic = @SPlastic,
PlasticB = @PlasticB, WashExt = @WashExt, WashEng = @WashEng, WashTrunk = @WashTrunk,
WashSeats = @WashSeats, SeatsRmv = @SeatsRmv, SeatsFit = @SeatsFit, Notes = @Notes
where `Time` = @Time";
// Using statement around connection and command to destroy
// these objects at the end of the using block
using(MySqlConnection conn = new MySqlConnection(constring))
using(MySqlCommand command = new MySqlCommand(Query, conn))
{
conn.Open();
// Create the list of parameters required by the query
// Notice that you should use the appropriate MySqlDbType
// for the field receiving the value.
command.Parameters.Add("@Time", MySqlDbType.VarChar);
command.Parameters.Add("@CarColorNumber", MySqlDbType.VarChar);
..... create all the other parameters leaving the value null
try
{
foreach(DataGridViewRow dr in dataGridView1.Rows)
{
// Inside the loop update the parameters' values
// with data extracted by the current row...
command.Parameters["@Time"].Value = dr.Cells[0].Value;
command.Parameters["@CarColorNumber"].Value = dr.Cells[1].Value;
..... set the value for all other parameters ....
// ExecuteNonQuery for INSERT/UPDATE/DELETE,
// ExecuteReader works but it is specific for reading
command.ExecuteNonQuery();
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
}
}
另一点需要注意的是时间字段的更新。它使用您在 where 子句中使用的相同值进行更新,因此无需更新它。