C# 在SQL数据库中插入并更新日期时间
这就是我目前拥有的,因为有一个trycatch,如果我对txtdatam进行注释,它不会在我尝试时崩溃。//insert和//upload上的文本可以工作(但显然在数据库中为数据输入NULL),有人可能看到我哪里出错了吗 编辑:关于参数的使用,我们需要使用三层系统,其中所有SQL都通过一个类,该类是唯一允许对数据库执行任何操作的类,以下是命令的执行方式:C# 在SQL数据库中插入并更新日期时间,c#,sql,.net,database,tsql,C#,Sql,.net,Database,Tsql,这就是我目前拥有的,因为有一个trycatch,如果我对txtdatam进行注释,它不会在我尝试时崩溃。//insert和//upload上的文本可以工作(但显然在数据库中为数据输入NULL),有人可能看到我哪里出错了吗 编辑:关于参数的使用,我们需要使用三层系统,其中所有SQL都通过一个类,该类是唯一允许对数据库执行任何操作的类,以下是命令的执行方式: private void ButtonOk_Click(object sender, EventArgs e) { i
private void ButtonOk_Click(object sender, EventArgs e)
{
if (txtWedstrijdSchemaID.Text == "")
{
//Insert
string SQL;
SQL = "Insert into Wedstrijdschema (Team1, Team2, Datum)";
SQL += " values (";
SQL += "" + txtTeam1.Text + ",";
SQL += "" + txtTeam2.Text + ",";
SQL += "" + Convert.ToDateTime(txtDatum.Text) + "";
SQL += ")";
clDatabase.ExecuteCommand(SQL);
vulLv();
}
else
{
//Update
string SQL;
SQL = "Update Wedstrijdschema SET ";
SQL += "Team1 = " + txtTeam1.Text + ",";
SQL += "Team2 = " + txtTeam2.Text + ",";
SQL += "Datum = " + Convert.ToDateTime(txtDatum.Text) + "";
SQL += " where SchemaId = " + zoek;
clDatabase.ExecuteCommand(SQL);
vulLv();
}
txtDatum.Enabled = txtTeam2.Enabled = txtTeam1.Enabled = false;
}
这个有用!!非常感谢您的帮助:
public static bool ExecuteCommand(string SQLInstructie)
{
bool retour = true;
SqlConnection Conn = new SqlConnection(clStam.Connstr);
SqlCommand Cmd = new SqlCommand(SQLInstructie, Conn);
try
{
Cmd.Connection.Open();
Cmd.ExecuteNonQuery();
}
catch
{
retour = false;
}
finally
{
Conn.Close();
}
return retour;
}
编辑:我保证从现在开始使用参数化SQL 从datetime列中删除单引号。此外,在insert语句中还缺少要添加的列
private void ButtonOk_Click(object sender, EventArgs e)
{
if (txtWedstrijdSchemaID.Text == "")
{
//Insert
string SQL;
SQL = "Insert into Wedstrijdschema (Team1, Team2, Datum)";
SQL += " values (";
SQL += "" + txtTeam1.Text + ",";
SQL += "" + txtTeam2.Text + ",";
SQL += "'" + Convert.ToDateTime(txtDatum.Text) + "'";
SQL += ")";
Debug.WriteLine(SQL);
clDatabase.ExecuteCommand(SQL);
vulLv();
}
else
{
//Update
string SQL;
SQL = "Update Wedstrijdschema SET ";
SQL += "Team1 = " + txtTeam1.Text + ",";
SQL += "Team2 = " + txtTeam2.Text + ",";
SQL += "Datum = '" + Convert.ToDateTime(txtDatum.Text) + "'";
SQL += " where SchemaId = " + zoek;
clDatabase.ExecuteCommand(SQL);
vulLv();
}
txtDatum.Enabled = txtTeam2.Enabled = txtTeam1.Enabled = false;
}
您缺少
插入
和更新
语句中的命令,
将数据插入数据库的语法为:
private void ButtonOk_Click(object sender, EventArgs e)
{
if (txtWedstrijdSchemaID.Text == "")
{
//Insert
string SQL;
SQL = "Insert into Wedstrijdschema (Team1, Team2,**Datum**)";
SQL += " values (";
SQL += "" + txtTeam1.Text + ",";
SQL += "" + txtTeam2.Text + "";
SQL += "" + Convert.ToDateTime(txtDatum.Text) + "";
SQL += ")";
clDatabase.ExecuteCommand(SQL);
vulLv();
}
else
{
//Update
string SQL;
SQL = "Update Wedstrijdschema SET ";
SQL += "Team1 = " + txtTeam1.Text + ",";
SQL += "Team2 = " + txtTeam2.Text + "";
SQL += "Datum = " + Convert.ToDateTime(txtDatum.Text) + "";
SQL += " where SchemaId = " + zoek;
clDatabase.ExecuteCommand(SQL);
vulLv();
}
txtDatum.Enabled = txtTeam2.Enabled = txtTeam1.Enabled = false;
}
除此之外,您很容易受到SQL注入的影响,请使用SQL参数化查询来防止这种情况
首先,我将使用SqlCommand
对象
INSERT INTO Table
(Column1, Column2, Column3)
VALUES
('Value 1', 'Value 2', 'Value3')
然后使用cmd.ExecuteNonQuery()执行它代码>
作为补充说明,我还要确保将txtdatam
中的值正确转换为所需的日期格式。始终使用查询。字符串连接是sql注入的一种方式
SqlCommand cmd = new SqlCommand("INSERT INTO Wedstrijdschema (Team1, Team2, Datum) VALUES (@V1, @V2, @V3");
cmd.Parameters.AddWithValue("@V1", txtTeam1.Text);
cmd.Parameters.AddWithValue("@V2", txtTeam2.Text);
cmd.Parameters.AddWithValue("@V3", Convert.ToDateTime(txtDatum.Text));
使用ToString
以可接受的格式设置日期格式(并在作为字符串传递时用引号括起来):
您正在使用哪个数据库?SQL Server?MySQL?这将取决于预期日期的格式。查看参数,它们比手动构建SQL字符串要好得多。使用参数化语句,使用文本框中的“
运行代码,看看会发生什么。您应该始终使用。这种类型的字符串连接容易受到攻击。Convert.ToDateTime(txtdatam.Text)
可能不会给出正确的格式;它将变成19-6-2015 14:49:23
左右(ToString()被隐式调用)。因为您使用的是荷兰制,这取决于文化背景(别担心,我也是荷兰人)。您需要知道数据库对字符串的期望值,并调整格式代码>,请添加行Debug.WriteLine(SQL)代码>。检查输出窗口。SQL看起来怎么样?是的,我也注意到,这是在没有添加数据的情况下进行的测试。它仍然不起作用,因为…这是学校项目的一部分,我知道我应该始终以参数化方式进行,但我有点松懈,没有这样做。@Strahbery-这是一个很好的机会来更改实施,展示学校项目中的最佳实践,并希望获得更好的分数。@Strahbery-您收到错误消息吗?程序流是否输入catch语句?@StrahBehry-catch告诉您什么。。。它是日期的FormatException还是与SQL相关?找到它后,在SQL Management studio中尝试了debug.writeline(SQL)的查询;给了我,它告诉我在0:00:00附近有语法错误,所以我在datetime周围加了引号,然后就成功了。在C代码中添加了单引号。
private void ButtonOk_Click(object sender, EventArgs e)
{
if (txtWedstrijdSchemaID.Text == "")
{
SqlCommand cmd = new SqlCommand("Insert into Wedstrijdschema (Team1, Team2, Datum) values (@Team1,@Team2,@datetime)");
cmd.Parameters.AddWithValue("@Team1",txtTeam1.Text
cmd.Parameters.AddWithValue("@Team2",txtTeam2.Text
cmd.Parameters.AddWithValue("@datetime",Convert.ToDateTime(txtDatum.Text)
clDatabase.ExecuteCommand(SQL);
vulLv();
}
else
{
SqlCommand cmd = new SqlCommand("Update Wedstrijdschema SET Team1=@team1,Team2=@team2,Datum =@Datum where SchemaId=@SchemaId");
cmd.Parameters.AddWithValue("@team1",txtTeam1.Text );
cmd.Parameters.AddWithValue("@team2",txtTeam2.Text);
cmd.Parameters.AddWithValue("@Datum ",Convert.ToDateTime(txtDatum.Text);
cmd.Parameters.AddWithValue("@SchemaId",zoek);
clDatabase.ExecuteCommand(SQL);
vulLv();
}
txtDatum.Enabled = txtTeam2.Enabled = txtTeam1.Enabled = false;
}
string SQL;
SQL = "Insert into Wedstrijdschema (Team1, Team2, Datum)";
SQL += " values (";
SQL += "" + txtTeam1.Text + ",";
SQL += "" + txtTeam2.Text + ",";
SQL += "'" + Convert.ToDateTime(txtDatum.Text).ToString("yyyy-MM-dd HH:mm:ss") + "'";
SQL += ")";