Inserting new row in sql database table

I have textBoxes in my application. The data entered in those textBoxes are to be inserted in the database. The commandString accepts string type only. So, how can I implement the insert statement?

string cmdString="INSERT INTO books (name,author,price) VALUES (//what to put in here?)"

Do I need to join the cmdString with textBox.Text for each value or is there a better alternative available?

标签： c# .net sql insert

2条回答

祖国的老花朵

2楼-- · 2020-06-04 12:31

use Command and Parameter to prevent from SQL Injection

// other codes
string cmdString="INSERT INTO books (name,author,price) VALUES (@val1, @va2, @val3)";
using (SqlCommand comm = new SqlCommand())
{
    comm.CommandString = cmdString;
    comm.Parameters.AddWithValue("@val1", txtbox1.Text);
    comm.Parameters.AddWithValue("@val2", txtbox2.Text);
    comm.Parameters.AddWithValue("@val3", txtbox3.Text);
    // other codes.
}

full code:

string cmdString="INSERT INTO books (name,author,price) VALUES (@val1, @va2, @val3)";
string connString = "your connection string";
using (SqlConnection conn = new SqlConnection(connString))
{
    using (SqlCommand comm = new SqlCommand())
    {
        comm.Connection = conn;
        comm.CommandString = cmdString;
        comm.Parameters.AddWithValue("@val1", txtbox1.Text);
        comm.Parameters.AddWithValue("@val2", txtbox2.Text);
        comm.Parameters.AddWithValue("@val3", txtbox3.Text);
        try
        {
            conn.Open();
            comm.ExecuteNonQuery();
        }
        Catch(SqlException e)
        {
            // do something with the exception
            // don't hide it
        }
    }
}

0人赞添加讨论(0) 举报