如何将c#datetime变量插入SQL Server
代码如下:如何将c#datetime变量插入SQL Server,c#,asp.net,sql-server,sqlcommand,C#,Asp.net,Sql Server,Sqlcommand,代码如下: string ConnectionString= @"Data Source=localhost\SQLEXPRESS; Initial Catalog=notepad; Integrated Security=SSPI "; SqlConnection con = new SqlConnection(ConnectionString); con.Open(); string strEvent = TextBoxEvent.Text; string strDate = Calen
string ConnectionString= @"Data Source=localhost\SQLEXPRESS;
Initial Catalog=notepad; Integrated Security=SSPI ";
SqlConnection con = new SqlConnection(ConnectionString);
con.Open();
string strEvent = TextBoxEvent.Text;
string strDate = Calendar1.TodaysDate.ToShortDateString();
string strInsert = "insert into notepad (time, event) values (strDate, strEvent )";
SqlCommand cmd=new SqlCommand(strInsert, con);
cmd.ExecuteNonQuery();
SQL Server 2005中的时间是smalldatetime
运行此程序时,会出现如下错误:
string strInsert = "insert into notepad (time, event) values ("2010/05/22", strEvent )";
string ConnectionString= @"Data Source=localhost\SQLEXPRESS;
Initial Catalog=notepad; Integrated Security=SSPI ";
string sqlStatement = "INSERT INTO dbo.Notepad(time, event) VALUES (@Date, @Event)";
using(SqlConnection con = new SqlConnection(ConnectionString))
using(SqlCommand cmd = new SqlCommand(sqlStatement, con))
{
cmd.Parameters.Add("@Date", SqlDbType.DateTime).Value = Calendar1.TodaysDate;
cmd.Parameters.Add("@Event", SqlDbType.VarChar, 100).Value = TextBoxEvent.Text.Trim();
con.Open();
cmd.ExecuteNonQuery();
con.Close();
}
中不允许使用名称“strDate”
这个背景。有效表达式为
常量、常量表达式和
(在某些上下文中)变量。纵队
姓名是不允许的
但是如果我用2010/05/22
替换strDate
,如下所示:
string strInsert = "insert into notepad (time, event) values ("2010/05/22", strEvent )";
string ConnectionString= @"Data Source=localhost\SQLEXPRESS;
Initial Catalog=notepad; Integrated Security=SSPI ";
string sqlStatement = "INSERT INTO dbo.Notepad(time, event) VALUES (@Date, @Event)";
using(SqlConnection con = new SqlConnection(ConnectionString))
using(SqlCommand cmd = new SqlCommand(sqlStatement, con))
{
cmd.Parameters.Add("@Date", SqlDbType.DateTime).Value = Calendar1.TodaysDate;
cmd.Parameters.Add("@Event", SqlDbType.VarChar, 100).Value = TextBoxEvent.Text.Trim();
con.Open();
cmd.ExecuteNonQuery();
con.Close();
}
程序将正确运行
我对这个问题感到困惑,并向您寻求帮助。下面的陈述是错误的,因为您实际上包含了strDate而不是替换它的值
string strInsert = "insert into notepad (time, event) values (strDate, strEvent )";
你需要做的是写以下内容:
string strInsert = "insert into notepad (time, event) values ("+strDate+"," +strEvent+)";
这将在运行时用实际值替换strDate和strEvent
*但是不推荐这种方法,因为它容易受到SQL注入攻击*这里所说的所有方法都很好,但我更喜欢下面的方法,因为它比其他方法有优势
DataAccess DAB = new DataAccess();
ArrayList arrList = new ArrayList();
string SQL = " insert into notepad (time, event) values (?,?) ";
arrList.Add(new DataAccessBlock.DataAccess.Parameter("@time", DbType.DateTime, 30, ParameterDirection.Input, "", strDate ));
arrList.Add(new DataAccessBlock.DataAccess.Parameter("@event", DbType.String, 50, ParameterDirection.Input, "", strEvent ));
DAB.ExecuteScalar(SQL, CommandType.Text, arrList);
您应该使用参数化查询将数据插入SQL Server,并且应该将
SqlConnection
和SqlCommand
放入使用块中-尝试以下操作:
string strInsert = "insert into notepad (time, event) values ("2010/05/22", strEvent )";
string ConnectionString= @"Data Source=localhost\SQLEXPRESS;
Initial Catalog=notepad; Integrated Security=SSPI ";
string sqlStatement = "INSERT INTO dbo.Notepad(time, event) VALUES (@Date, @Event)";
using(SqlConnection con = new SqlConnection(ConnectionString))
using(SqlCommand cmd = new SqlCommand(sqlStatement, con))
{
cmd.Parameters.Add("@Date", SqlDbType.DateTime).Value = Calendar1.TodaysDate;
cmd.Parameters.Add("@Event", SqlDbType.VarChar, 100).Value = TextBoxEvent.Text.Trim();
con.Open();
cmd.ExecuteNonQuery();
con.Close();
}
此外,这是将数据库访问代码与UI代码(从文本框和日历控件检索数据)混合在一起-这是一种糟糕的做法-您应该将其分为两个步骤:
是的。首先避免将datetime值转换为字符串,这样可以避免各种问题。(还有,是的,使用参数。不幸的是,我只能+1)标准ADO.NET数据库提供程序无法使用
?
参数占位符-您需要使用命名参数,如@Date
和@Event
。警告:这将打开SQL注入攻击的大门!!您永远不应该只是将SQL语句连接在一起-而是使用参数化查询-始终!