插入到C＃中的SQL數據庫＃

Question

我想插入到我的C＃應用​​程序中的SQL數據庫。

我讀過一些文檔，想出了我認爲會工作。事實上，當用戶輸入他們的數據並按下提交按鈕時，應用程序會凍結一會兒，然後給我一個「SqlException」，並提到一些關於無法連接的信息。

我不確定我是否正確使用了連接字符串，所以我正在尋求幫助。

這些都是我用來建立查詢並進行連接的方法：

private void btn_Submit_Click(object sender, EventArgs e) 
{ 
    if (isValidData()) 
    { 
     //MessageBox.Show("Valid", "All Entries Were Valid!"); 

     //CONVERT FORM VALUES AND STORE IN VARIABLES TO SEND TO MYSQL QUERY 
     DateTime saleTime = saleDatePicker.Value; 
     Decimal price = Convert.ToDecimal(txt_Price.Text); 
     string customerName = txt_CustomerName.Text; 
     string customerPhone = txt_CustomerPhone.Text; 
     string description = rTxt_Description.Text; 

     //Build Query string 
     string query = "INSERT into SALES VALUES ('" + saleTime + "','" + 
      price + "','" + customerName + "','" + customerPhone + "','" + 
      description + "');"; 

     insertValues(query); 

    } 
} 
private void insertValues(string q) 
{ 
    SqlConnection sqlConnection1 = new SqlConnection("Server=host;Database=dbname;User Id=username;Password=password;"); 
    SqlCommand cmd = new SqlCommand(); 
    SqlDataReader reader; 

    cmd.CommandText = q; 
    cmd.CommandType = CommandType.Text; 
    cmd.Connection = sqlConnection1; 

    sqlConnection1.Open(); 

    reader = cmd.ExecuteReader(); 
    // Data is accessible through the DataReader object here. 

    sqlConnection1.Close(); 
} 

Answer 1

我不知道你的連接字符串，但看到你的問題是標籤與MySQL則你需要使用不同的類來與MySql「交談」。您正在使用的那些現在用於使用Microsoft Sql Server的目的。

您需要更改SqlConnection，SqlCommand和SqlDataReader到MySQL對口命名MySqlConnection，MySqlCommand，MySqlDataReader。這些類在下載後可用，然後安裝MySql NET/Connector，然後設置對MySql.Data.Dll的引用並將using MySql.Data.MySqlClient;添加到項目中

關於MySql的連接字符串，還需要遵循規則並使用關鍵字爲explained in this site

這些是爲程序提供工作可能性的基本步驟，但這裏有一個很大的問題。它在sql命令中被稱爲字符串連接，並且這種習慣直接導致Sql Injection vulnerability。

您需要更改您的代碼是這樣的：

private void btn_Submit_Click(object sender, EventArgs e) 
{ 
    if (isValidData()) 
    { 

     //CONVERT FORM VALUES AND STORE IN VARIABLES TO SEND TO MYSQL QUERY 
     DateTime saleTime = saleDatePicker.Value; 
     Decimal price = Convert.ToDecimal(txt_Price.Text); 
     string customerName = txt_CustomerName.Text; 
     string customerPhone = txt_CustomerPhone.Text; 
     string description = rTxt_Description.Text; 

     // Create the query using parameter placeholders, not the actual stringized values.... 
     string query = "INSERT into SALES VALUES (@stime, @price, @cname,@cphone,@cdesc)"; 

     // Create a list of parameters with the actual values with the placeholders names 
     // Pay attention to the Size value for string parameters, you need to change it 
     // accordingly to your fields size on the database table. 
     List<MySqlParameter> prms = new List<MySqlParameter>() 
     { 
      new MySqlParameter {ParameterName="@stime", MySqlDbType=MySqlDbType.DateTime, Value = saleTime }, 
      new MySqlParameter {ParameterName="@price", MySqlDbType=MySqlDbType.Decimal, Value = price }, 
      new MySqlParameter {ParameterName="@cname", MySqlDbType=MySqlDbType.VarChar, Value = customerName, Size = 150 }, 
      new MySqlParameter {ParameterName="@cphone", MySqlDbType=MySqlDbType.VarChar, Value = customerPhone , Size = 150 }, 
      new MySqlParameter {ParameterName="@desc", MySqlDbType=MySqlDbType.VarChar, Value = description , Size = 150 } 
     }; 

     // Pass query and parameters to the insertion method. 
     // get the return value. if it is more than zero you are ok.. 
     int result = insertValues(query, prms); 
     // if(result > 0) 
     // .... insertion ok .... 
    } 
} 

private int insertValues(string q, List<MySqlParameter> parameters) 
{ 
    using(MySqlConnection con = new MySqlConnection(....)) 
    using(MySqlCommand cmd = new MySqlCommand(q, con)) 
    { 
     con.Open(); 
     cmd.Parameters.AddRange(parameters.ToArray()); 
     int rowsInserted = cmd.ExecuteNonQuery(); 
     return rowsInserted; 
    } 
}