如何向数据库中插入数据? - 用户定义 类

How to Insert Data to the Database? - User Defined Classes

我正在试验数据库,并且正在寻找不同的方法来优化我的代码。在这里,我使用不同的 class 来停止重新编写相同的代码,例如添加、删除和更新我们使用相同的 ExecuteNonQuery() 方法。到目前为止,除了插入之外,更新删除方法运行良好。编译器不会给出任何错误,但从文本框中获取的值不会进入变量字符串查询。我是 c# 编码的新手。谁能帮我?或建议?

using DBconnectionExercise.DBConnection_Components;
namespace DBconnectionExercise
{
    public partial class Student_Form : Form
    {
        DBComps dc = new DBComps();

        //public string constring;
        //public SqlConnection con = null;
        //public SqlCommand com = null;
        public String query;

        public Student_Form()
        {
            InitializeComponent();

            //constring = "Data Source=ASHANE-PC\ASHANESQL;Initial Catalog=SchoolDB;Integrated Security=True";
            //con = new SqlConnection(constring);

            dc.ConnectDB();


        }

        private void Form1_Load(object sender, EventArgs e)
        {

           loadGridData();

        }
        private void dtp_dob_ValueChanged(object sender, EventArgs e)
        {
            DateTime Now = DateTime.Today;
            DateTime Dob = dtp_dob.Value.Date;
            int a = Now.Year - Dob.Year;
            if (Now < Dob.AddYears(a)) a--;
            tb_Age.Text = a.ToString();
        }

        private void loadGridData()
        {
            try
            {
                query = "Select * from tb_Student";
                //dc.OpenCon();
                //SqlDataAdapter da = new SqlDataAdapter(query, con);
                DataTable dt1 = new DataTable();
                dt1 = dc.Data_Table(query);
                //da.Fill(dt);
                Stu_DataGrid.DataSource = dt1;
                //con.Close();

            }
            catch (Exception ex)
            {
                MessageBox.Show(ex.ToString());
            }
        }

        private void ClearData()
        {
            tb_Name.Clear();
            tb_Address.Clear();
            tb_Telno.Clear();
            tb_Search.Clear();
            tb_Age.Clear();
            dtp_dob.Value = DateTime.Today;

        }

        private void btn_Add_Click(object sender, EventArgs e)
        {
            try
            {
                String name = tb_Name.Text;
                DateTime dob = dtp_dob.Value.Date;
                int age = Convert.ToInt32(tb_Age.Text);
                String Address = tb_Address.Text;
                int telno = Convert.ToInt32(tb_Telno.Text);
                int line = 0;


                //con.Open();
                query = "Insert into tb_Student values(@Stu_Name, @Stu_DOB, @Age, @Stu_Address, @Stu_Tel_no)";
                //query = "Insert into tb_Student (Stu_Name, Stu_DOB, Age, Stu_Address, Stu_Tel_no) Values('" + name + "','" + dob + "','" + age + "','" + Address + "','" + telno + "')";
                MessageBox.Show(query);
                //com = new SqlCommand(query, con);

               // This is the Insert/save code

                DBComps.com.Parameters.AddWithValue("@Stu_Name", name);
                DBComps.com.Parameters.AddWithValue("@Stu_DOB", dob);
                DBComps.com.Parameters.AddWithValue("@Age", age);
                DBComps.com.Parameters.AddWithValue("@Stu_Address", Address);
                DBComps.com.Parameters.AddWithValue("@Stu_Tel_no", telno);

                //line = com.ExecuteNonQuery();
                line = dc.ExeNonQuery(query);
                //com.Dispose();
                //con.Close();

                if (line > 0)
                {
                    loadGridData();
                    ClearData();
                    MessageBox.Show("Data saved sucessfully!", "Data Saved", MessageBoxButtons.OK, MessageBoxIcon.Information);
                }
                else
                    MessageBox.Show("Data not Saved", "Error Save", MessageBoxButtons.OK, MessageBoxIcon.Error);
            }
            catch(Exception ex)
            {
                MessageBox.Show(ex.ToString());
            }
        }

这是我用来编写 Sql 函数方法的 DBComps class。

 namespace DBconnectionExercise.DBConnection_Components
    {
        public class DBComps
        {
            public String conSring;
            public SqlConnection con = null;
            public static SqlCommand com = null;

            public void ConnectDB()
            {
                conSring = "Data Source=ASHANE-PC\ASHANESQL;Initial Catalog=SchoolDB;Integrated Security=True";
                con = new SqlConnection(conSring);
            }

            public void OpenCon()
            {
                con.Open();
            }

            public void CloseCon()
            {
                con.Close();
            }

            public int ExeNonQuery(String query) //the method for Insert, update and delete.
            {

                int line = 0;
                OpenCon();
                com = new SqlCommand(query, con);
                line = com.ExecuteNonQuery();
                com.Dispose();
                CloseCon();

                return line;
            }
    }
} 

好吧,我终于如我所料想出了问题的答案。在这里如何做到这一点;

private void btn_Add_Click(object sender, EventArgs e)
        {
            try
            {
                String name = tb_Name.Text;
                DateTime dob = dtp_dob.Value.Date;
                int age = Convert.ToInt32(tb_Age.Text);
                String Address = tb_Address.Text;
                int telno = Convert.ToInt32(tb_Telno.Text);
                int line = 0;


                query = "Insert into tb_Student values('"+ name +"','"+ dob +"','"+ age +"','"+ Address +"','"+ telno +"')";

                MessageBox.Show(query); //To see it works!

                line = dc.ExeNonQuery(query);

                if (line > 0)
                {
                    loadGridData();
                    ClearData();
                    MessageBox.Show("Data saved sucessfully!", "Data Saved", MessageBoxButtons.OK, MessageBoxIcon.Information);
                }
                else
                    MessageBox.Show("Data not Saved", "Error Save", MessageBoxButtons.OK, MessageBoxIcon.Error);
            }
            catch(Exception ex)
            {
                MessageBox.Show(ex.ToString());
            }
        } 

永远记得写查询语句 variables/values 与 table headers 完全一致。否则会产生错误。感谢大家帮忙解答这个问题! :-)

这是与数据库对话的非常糟糕的方式,它可以使用 SQL 注入进行破解,并且由于您正在学习,现在是时候指出这一点了:

query = "Insert into tb_Student values('"+ name +"','"+ dob +"','"+ age +"','"+ Address +"','"+ telno +"')";

阅读 sql 注入的原因和方式,并寻找最佳实践以找到更好的方法。