1. 首页
  2. 问答
  3. winform C#使用sql server 2008

winform C#使用sql server 2008

2014-02-19 62 views
0

我有一个数据库的问题我在c#中使用winform时,我通过表单创建名称列中的数据之前创建一个空间,所以我想删除它,任何人都可以帮我 name column has数据类型为varchar而接触不具有数字类型就不会创造空间之前winform C#使用sql server 2008

我的代码:

private void btnAddNew_Click(object sender, EventArgs e) 
{ 
     string Gender = ""; 

     if (radioButton1.Checked) 
     { 
      Gender = "Male"; 
     } 
     else if (radioButton2.Checked) 
     { 
      Gender = "Female"; 
     } 

     if (txtName.Text == "") 
     { 
      MessageBox.Show("Enter the customer name.", "Dairy Management System", MessageBoxButtons.OK, MessageBoxIcon.Stop); 
      txtName.Focus(); 
     } 
     else if (Gender == "") 
     { 
      MessageBox.Show("Enter the gender.", "Dairy Management System", MessageBoxButtons.OK, MessageBoxIcon.Stop); 
      grpGender.Focus(); 
     } 
     else if (txtAddress.Text == "") 
     { 
      MessageBox.Show("Enter the Address.", "Dairy Management System", MessageBoxButtons.OK, MessageBoxIcon.Stop); 
      txtAddress.Focus(); 
     } 
     else if (txtContact.Text == "") 
     { 
      MessageBox.Show("Enter Contact No.", "Dairy Management System", MessageBoxButtons.OK, MessageBoxIcon.Stop); 
      txtContact.Focus(); 
     } 
     else 
     { 
      SqlConnection con = new SqlConnection("Data Source=RANJEETMAURYA;Initial Catalog=Project;Integrated Security=True"); 
      con.Open(); 

      SqlCommand cmd = new SqlCommand(@"INSERT INTO CustomerDetails 
        (Date, Contact_No, Name, Gender, Address, Email_ID) 
VALUES(' " + this.dateTimePicker1.Value.ToString("MM/dd/yyyy") + " ',' " + txtName.Text + " ',' " + Gender + " ',' " + txtAddress.Text + " ',' " + txtContact.Text + " ',' " + txtEmail.Text + " ')", con); 
      cmd.ExecuteNonQuery(); 
      con.Close(); 
      MessageBox.Show("Customer Information Added Successfully.", "Dairy Management System", MessageBoxButtons.OK, MessageBoxIcon.Information); 
      SQLFunctions.Refresh(this.dataGridView1); 
      clear(); 
     } 
}

来源

2014-02-19 user3327117

+0

可以显示的代码,你试过吗?表单中的输入是否已获得空间,或者您认为它是按照您的说法添加的? – owen79

+0

如果你能展示一个例子,可能会有所帮助。它不清楚你的意思。 – Fred

+2

[SQL注入警报](http://msdn.microsoft.com/en-us/library/ms161953%28v=sql.105%29.aspx) - 你应该**不**连接你的SQL语句 - 使用**参数化查询**,而不是为了避免SQL注入 –

回答

1

问题:你增加额外的空间,而在INSERT INTO声明如下提供的参数值:

 | 
     | 
     > 
VALUES(' " + this.dateTimePicker1.Value.ToString("MM/dd/yyyy") + " ',' " + txtName.Text  
+ " ',' " + Gender + " ',' " + txtAddress.Text + " ',' " + txtContact.Text + " ',' " +  
txtEmail.Text + " ')", con);

建议:查询是开放的SQL注入攻击的攻击,所以我会建议你使用参数化的查询,以避免它们。

试试这个:使用Parameterised Queries

替换此:

SqlCommand cmd = new SqlCommand(@"INSERT INTO CustomerDetails 
(Date, Contact_No, Name, Gender, Address, Email_ID) 
VALUES(' " + this.dateTimePicker1.Value.ToString("MM/dd/yyyy") + " ',' " + txtName.Text + " ',' " + Gender + " ',' " + txtAddress.Text + " ',' " + txtContact.Text + " ',' " + txtEmail.Text + " ')", con);

这一点:

SqlCommand cmd = new SqlCommand(@"INSERT INTO CustomerDetails 
    (Date, Contact_No, Name, Gender, Address, Email_ID) 
    VALUES(@Date,@Contact,,@Name,@Gender,@Address,@Email)", con); 

cmd.Parameters.AddWithValue("@Date",this.dateTimePicker1.Value.ToString("MM/dd/yyyy")); 
cmd.Parameters.AddWithValue("@Contact",txtContact.Text); 
cmd.Parameters.AddWithValue("@Name",txtName.Text); 
cmd.Parameters.AddWithValue("@Gender",Gender); 
cmd.Parameters.AddWithValue("@Address", txtAddress.Text); 
cmd.Parameters.AddWithValue("@Email", txtEmail.Text);

来源

2014-02-19 08:39:12

+0

,但我如何使用它我已经写了我的代码 – user3327117

+0

@ user3327117:检查我编辑的答案 –

0

空格去掉

" ',' " + txtName.Text.Trim() + " ',' " + Gender + " ',' " 


"','" + txtName.Text.Trim() + "','" + Gender + "','"

但你最好删除所有这些字符串连接并开始使用SQL参数在该行

VALUES(' " + this.dateTimePicker1.Value.ToString("MM/dd/yyyy") + " ',' " + txtName.Text + " ',' " + Gender + " ',' " + txtAddress.Text + " ',' " + txtContact.Text + " ',' " + txtEmail.Text + " ')", con);

你已经把一个空间之前和单引号后

来源

2014-02-19 08:43:59 Damith

0

的样子。例如

' " + this.dateTimePicker1.Value.ToString("MM/dd/yyyy") + " ',

其实你已经指定后的空间,所有的赋值之前。

顺便说一句,这不是插入/更新/删除数据库操作的好方法。您应该使用括号查询。

SqlCommand Cmd = Connection.CreateCommand(); 
Cmd.CommandText = "Insert Into [TableName](Column1,Column2,Column3)Values(@Column1,Column2,Column3)"; 
Cmd.Parameters.Add("@@Column1", SqlDbType.Int).Value = 1; 
Cmd.Parameters.Add("@@Column1", SqlDbType.Varchar).Value = "Shell"; 
Cmd.Parameters.Add("@@Column1", SqlDbType.SmallDateTime).Value = System.DateTime.Now; 
Cmd.ExecuteNonQuery();

来源

2014-02-19 08:45:56 Shell

0

“'”之后有一些额外的空格。删除它们,因为它会直接插入到数据库中。

使用此:

SqlCommand cmd = new SqlCommand(@"INSERT INTO CustomerDetails 
        (Date, Contact_No, Name, Gender, Address, Email_ID) 
VALUES('" + this.dateTimePicker1.Value.ToString("MM/dd/yyyy") + "','" + txtName.Text + "','" + Gender + "','" + txtAddress.Text + "','" + txtContact.Text + "','" + txtEmail.Text + "')", con); 
      cmd.ExecuteNonQuery(); 
      con.Close(); 
      MessageBox.Show("Customer Information Added Successfully.", "Dairy Management System", MessageBoxButtons.OK, MessageBoxIcon.Information); 
      SQLFunctions.Refresh(this.dataGridView1); 
      clear();

来源

2014-02-19 08:48:08

相关问题

 相关问题