如何使用c#3.5运行SQL代码?

时间:2020-12-05 20:55:36

I have an HTML textbox that contains some SQL code that I need executed. I am able to retrieve the actual code from the textbox but I am not sure how to go about executing the code. Any simple and elegant ways using c# 3.5?

我有一个HTML文本框,其中包含我需要执行的一些SQL代码。我能够从文本框中检索实际代码,但我不知道如何执行代码。使用c#3.5的任何简单而优雅的方式?

6 个解决方案

#1

DON'T EXECUTE CODE FROM A TEXTBOX

不要从文本框执行代码

unless you really trust what is being entered.

除非你真的相信所输入的内容。

If you do, use this:

如果你这样做,请使用:

SqlConnection con = new SqlConnection("Your connection string");
con.Open();
SqlCommand cmd = new SqlCommand(TexdtBox1.Text, con);
cmd.ExecuteNonQuery();
con.Close()

Note that this will not return anything, jsut run the query. If you want to return data, you need a SqlDataAdaptor or SqlDataReader.

请注意,这不会返回任何内容,jsut运行查询。如果要返回数据,则需要SqlDataAdaptor或SqlDataReader。

#2

如何使用c#3.5运行SQL代码?

#3

It depends on the type of database you want to execute it against. If I can assume you want to talk to a SQL Server database, look at the following classes:

这取决于您要执行它的数据库的类型。如果我可以假设您想要与SQL Server数据库通信,请查看以下类:

#4

Create a SqlCommand with the CommandText from your textbox.

使用文本框中的CommandText创建SqlCommand。

#5

I wouldn't recommend it, but if you do, at least validate that the SQL entered starts with SELECT and does not contain any semi-colons (;) or comment characters (-- and /*).

我不推荐它,但是如果你这样做,至少要验证输入的SQL是以SELECT开头的,并且不包含任何分号(;)或注释字符( - 和/ *)。

#6

here's a little (untested untested because typed right in the SO textbox) sample code:

这里有一点(未经测试未经测试,因为在SO文本框中输入了)示例代码:

using System.Data;

namespace MyGreatNamespace
{
    class MyGreatClass
    {
        static public DataTable executeTable( string query )
        {
            return executeTable( query, null, null );
        }

        static public DataTable executeTable( string query, string[] params, object[] values )
        {
                    DataTable myTable = new DataTable();
            using ( SqlConnection connection = new SqlConnection( myConnectionString ) )
            using( SqlCommand command = new SqlCommand( connection ) )
            {
                command.CommandType = CommandType.Text;
                command.CommandText = myQuery;

                if ( parameters.Count == values.Count && parameters.Count > 0 )
                {
                    for( int i = 0; i < parameters.Count; i ++ )
                    {
                        command.addParameterWithValue( parameters[i], values[i] );
                    }
                }

                using( SqlDataAdapter adapter = new SqlDataAdapter( command ) )
                {
                    adapter.Fill( out myTable );
                }
            }
            return myTable;
        }
    }
}

#1

DON'T EXECUTE CODE FROM A TEXTBOX

不要从文本框执行代码

unless you really trust what is being entered.

除非你真的相信所输入的内容。

If you do, use this:

如果你这样做,请使用:

SqlConnection con = new SqlConnection("Your connection string");
con.Open();
SqlCommand cmd = new SqlCommand(TexdtBox1.Text, con);
cmd.ExecuteNonQuery();
con.Close()

Note that this will not return anything, jsut run the query. If you want to return data, you need a SqlDataAdaptor or SqlDataReader.

请注意,这不会返回任何内容,jsut运行查询。如果要返回数据,则需要SqlDataAdaptor或SqlDataReader。

#2

如何使用c#3.5运行SQL代码?

#3

It depends on the type of database you want to execute it against. If I can assume you want to talk to a SQL Server database, look at the following classes:

这取决于您要执行它的数据库的类型。如果我可以假设您想要与SQL Server数据库通信,请查看以下类:

#4

Create a SqlCommand with the CommandText from your textbox.

使用文本框中的CommandText创建SqlCommand。

#5

I wouldn't recommend it, but if you do, at least validate that the SQL entered starts with SELECT and does not contain any semi-colons (;) or comment characters (-- and /*).

我不推荐它,但是如果你这样做,至少要验证输入的SQL是以SELECT开头的,并且不包含任何分号(;)或注释字符( - 和/ *)。

#6

here's a little (untested untested because typed right in the SO textbox) sample code:

这里有一点(未经测试未经测试,因为在SO文本框中输入了)示例代码:

using System.Data;

namespace MyGreatNamespace
{
    class MyGreatClass
    {
        static public DataTable executeTable( string query )
        {
            return executeTable( query, null, null );
        }

        static public DataTable executeTable( string query, string[] params, object[] values )
        {
                    DataTable myTable = new DataTable();
            using ( SqlConnection connection = new SqlConnection( myConnectionString ) )
            using( SqlCommand command = new SqlCommand( connection ) )
            {
                command.CommandType = CommandType.Text;
                command.CommandText = myQuery;

                if ( parameters.Count == values.Count && parameters.Count > 0 )
                {
                    for( int i = 0; i < parameters.Count; i ++ )
                    {
                        command.addParameterWithValue( parameters[i], values[i] );
                    }
                }

                using( SqlDataAdapter adapter = new SqlDataAdapter( command ) )
                {
                    adapter.Fill( out myTable );
                }
            }
            return myTable;
        }
    }
}
标签:

相关文章