在SQL数据库中插入并更新日期时间

Strah Behry 发表于 Dev

贝里的恐惧

private void ButtonOk_Click(object sender, EventArgs e)
    {
        if (txtWedstrijdSchemaID.Text == "")
        {
            //Insert
            string SQL;
            SQL = "Insert into Wedstrijdschema (Team1, Team2, Datum)";
            SQL += " values (";
            SQL += "" + txtTeam1.Text + ",";
            SQL += "" + txtTeam2.Text + ",";
            SQL += "" + Convert.ToDateTime(txtDatum.Text) + "";
            SQL += ")";

            clDatabase.ExecuteCommand(SQL);
            vulLv();
        }
        else
        {
            //Update
            string SQL;
            SQL = "Update Wedstrijdschema SET ";
            SQL += "Team1 = " + txtTeam1.Text + ",";
            SQL += "Team2 = " + txtTeam2.Text + ",";
            SQL += "Datum = " + Convert.ToDateTime(txtDatum.Text) + "";
            SQL += " where SchemaId = " + zoek;

            clDatabase.ExecuteCommand(SQL);
            vulLv();
        }
        txtDatum.Enabled = txtTeam2.Enabled = txtTeam1.Enabled = false;
    }

这就是我目前所拥有的，因为尝试了trycatch，如果我在// insert上注释掉txtDatum.Text并//上传它，它不会崩溃（但显然在数据库中为Datum输入NULL）也许有人看到我要去哪里了吗？

编辑：关于参数的使用，我们需要使用三层系统，其中所有SQL都通过一个类，这是唯一允许对数据库执行任何操作的类，这是命令的执行方式：

public static bool ExecuteCommand(string SQLInstructie)
        {
            bool retour = true;
            SqlConnection Conn = new SqlConnection(clStam.Connstr);
            SqlCommand Cmd = new SqlCommand(SQLInstructie, Conn);

            try
            {
                Cmd.Connection.Open();
                Cmd.ExecuteNonQuery();
            }
            catch
            {
                retour = false;
            }
            finally
            {
                Conn.Close();
            }
            return retour;
        }

这有效！！非常感谢您的帮助：

private void ButtonOk_Click(object sender, EventArgs e)
        {
            if (txtWedstrijdSchemaID.Text == "")
            {
                //Insert

                string SQL;
                SQL = "Insert into Wedstrijdschema (Team1, Team2, Datum)";
                SQL += " values (";
                SQL += "" + txtTeam1.Text + ",";
                SQL += "" + txtTeam2.Text + ",";
                SQL += "'" + Convert.ToDateTime(txtDatum.Text) + "'";
                SQL += ")";
                Debug.WriteLine(SQL);
                clDatabase.ExecuteCommand(SQL);
                vulLv();
            }
            else
            {
                //Update
                string SQL;
                SQL = "Update Wedstrijdschema SET ";
                SQL += "Team1 = " + txtTeam1.Text + ",";
                SQL += "Team2 = " + txtTeam2.Text + ",";
                SQL += "Datum = '" + Convert.ToDateTime(txtDatum.Text) + "'";
                SQL += " where SchemaId = " + zoek;

                clDatabase.ExecuteCommand(SQL);
                vulLv();
            }
            txtDatum.Enabled = txtTeam2.Enabled = txtTeam1.Enabled = false;
        }

编辑：我保证从现在开始使用参数化SQL！

达伦

你缺少一个命令,从INSERT和UPDATE声明。

将数据插入数据库的语法为：

 INSERT INTO Table 
        (Column1, Column2, Column3) 
 VALUES
        ('Value 1', 'Value 2', 'Value3')

除此之外，您还容易受到攻击SQL injection，请使用SQL参数化查询来防止这种情况。

首先，我将使用一个SqlCommand对象。

SqlCommand cmd = new SqlCommand("INSERT INTO Wedstrijdschema (Team1, Team2, Datum) VALUES (@V1, @V2, @V3");

cmd.Parameters.AddWithValue("@V1", txtTeam1.Text);
cmd.Parameters.AddWithValue("@V2", txtTeam2.Text);
cmd.Parameters.AddWithValue("@V3", Convert.ToDateTime(txtDatum.Text));

然后使用执行 cmd.ExecuteNonQuery();

另外，我还要确保中的值txtDatum正确转换为所需的日期格式。

本文收集自互联网，转载请注明来源。

如有侵权，请联系[email protected] 删除。