使用參數化查詢是更具可讀性和推薦的方式。
try
{
mycon.Open();
int y = 0;
for (int i = 0; i<dataGridView1.Rows.Count; i++)
{
string sql = "UPDATE [dbo].[Pharmacy_Items] Set Quantity= Quantity + @Quantity , Sold= Sold - @Sold where [email protected]";
using (SqlCommand cmd5 = new SqlCommand(sql, mycon))
{
cmd5.CommandType = CommandType.Text;
var qunatityParam = new SqlParameter{Value=dataGridView1.Rows[y].Cells[4].Value, SqlDbType=SqlDbType.Int, ParameterName="Quantity"};
var soldParam = new SqlParameter{Value=dataGridView1.Rows[y].Cells[4].Value, SqlDbType = SqlDbType.Int, ParameterName = "Sold"};
var itemNameParam = new SqlParameter{Value=dataGridView1.Rows[y].Cells[1].Value,SqlDbType = SqlDbType.VarChar, ParameterName = "ItemName"};
cmd5.Parameters.Add(qunatityParam);
cmd5.Parameters.Add(soldParam);
cmd5.Parameters.Add(itemNameParam);
cmd5.ExecuteNonQuery();
}
y += 1;
}
mycon.Close();
}
或者更好的方法是在SQL端編寫一個存儲過程,並從您的C#代碼中調用該代碼,以防止SQL注入。
SQL
CREATE PROCEDURE EditPharmacyItems
@Quantity INT,
@Sold INT,
@ItemName VARCHAR(MAX)
AS
BEGIN
SET NOCOUNT ON;
UPDATE Pharmacy_Items
SET Quantity = [email protected]
,Sold = Sold - @Sold
WHERE ItemName [email protected]
END
GO
C#
try
{
string sqlQuery = "[dbo].[EditPharmacyItems]";
int y = 0;
mycon.Open();
for (int i = 0; i<dataGridView1.Rows.Count; i++)
{
SqlCommand cmd5 = new SqlCommand(sqlQuery, mycon);
cmd5.CommandType=CommandType.StoredProcedure;
var qunatityParam = new SqlParameter{Value=dataGridView1.Rows[y].Cells[4].Value, SqlDbType=SqlDbType.Int, ParameterName="Quantity"};
var soldParam = new SqlParameter{Value=dataGridView1.Rows[y].Cells[4].Value, SqlDbType = SqlDbType.Int, ParameterName = "Sold"};
var itemNameParam = new SqlParameter{Value=dataGridView1.Rows[y].Cells[1].Value,SqlDbType = SqlDbType.VarChar, ParameterName = "ItemName"};
cmd5.Parameters.Add(qunatityParam);
cmd5.Parameters.Add(soldParam);
cmd5.Parameters.Add(itemNameParam);
cmd5.ExecuteNonQuery();
y += 1;
}
mycon.Close();
}
使用參數化查詢。 –
@gordonLinoff您能否告訴我,請與代碼,對不起,我是新的:) –
@GordonLinoff你能告訴我請與代碼,對不起,我是新的:) –