All geek questions in one place

Insert text field values ​​into a database

im new to here and would like some advice on c # programming

I would like to save the values ​​from the text box to the database. so far I have the following:

string connectionString = @"Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\Customers.mdf;Integrated Security=True;User Instance=True";
SqlConnection connection = new SqlConnection(connectionString);
connection.Open();

string query = "INSERT INTO ProjectList (ProjectName, BiddingDueDate, Status, ProjectStartDate, ProjectEndDate, AssignedTo, PointsWorth, StaffCredits) VALUES ('"+projName+"', '"+bidDueDate+"', '"+status+"', '"+projectStartDate+"', '"+projectEndDate+"', '"+assignedTo+"', '"+pointsWorth+"', '"+aStaffCredits+"')";
SqlCommand command = new SqlCommand(query, connection);

command.ExecuteNonQuery();
connection.Close();

There are no errors in the code, but I cannot understand why nothing is stored in the database.

+3
source share
6 answers

First, your code is ripe for SQL Injection attacks - you really need to use parameterized queries.

Also, if you use parameters, you may have some type safety, and the values ​​will be correctly translated to SQL Server.

, , , , (, bidDueDate?, thisQuery, ?).

, , # , ( ).

. MSDN (SqlCommand.Parameters).

+11

, :

void SaveData(string projectName, DateTime biddingDueDate, string status, DateTime projectStartDate, string assignedTo, int pointsWorth, string staffCredits)
{
    try
    {
        string connectionString = @"Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\Customers.mdf;Integrated Security=True;User Instance=True";
        using (SqlConnection connection = new SqlConnection(connectionString))
        using (SqlCommand command = connection.CreateCommand())
        {
            command.CommandText = "INSERT INTO ProjectList (ProjectName, BiddingDueDate, Status, ProjectStartDate, ProjectEndDate, AssignedTo, PointsWorth, StaffCredits) VALUES (@projectName, @biddingDueDate, @status, @projectStartDate, @projectStartDate, @assignedTo, @pointsWorth, @staffCredits)";

            command.Parameters.AddWithValue("@projectName", projectName);
            command.Parameters.AddWithValue("@biddingDueDate", biddingDueDate);
            command.Parameters.AddWithValue("@status", status);
            command.Parameters.AddWithValue("@projectStartDate", projectStartDate);
            command.Parameters.AddWithValue("@assignedTo", assignedTo);
            command.Parameters.AddWithValue("@pointsWorth", pointsWorth);
            command.Parameters.AddWithValue("@staffCredits", staffCredits);

            connection.Open();
            command.ExecuteNonQuery();
        }
    }
    catch (SqlException ex)
    {
        Console.WriteLine(ex.Message);
    }

}

( ):

command.Parameters.AddWithValue("@biddingDueDate", biddingDueDate);

:

command.Parameters.Add("@biddingDueDate", System.Data.SqlDbType.DateTime).Value = biddingDueDate;

, (- ..) :

command.Parameters.Add("@biddingDueDate", System.Data.SqlDbType.DateTime).Value = biddingDueDate.ToString("yyyy-MM-dd"); // also you can use just yyyyMMdd
+7

TextBox, projName.Text, status.Text.

0

" ", " " ?

, .

0

, , , :

Console.WriteLine(thisQuery);

StringthisQuery=

, Db, , , .

0

ProjectStartDate , . :

String thisQuery = "INSERT INTO ProjectList (ProjectName, BiddingDueDate, Status, ProjectStartDate, ProjectEndDate, AssignedTo, PointsWorth, StaffCredits) VALUES ('"+projName+"', "+bidDueDate+", '"+status+"', "+projectStartDate+", "+projectEndDate+", '"+assignedTo+"', '"+pointsWorth+"', '"+aStaffCredits+"')";
-1

Source: https://habr.com/ru/post/1773217/

More articles:


All Articles