如何使用C#将数据插入SQL表以及实现上传功能?

时间:2022-09-02 13:48:30

Below is the code I am working with to try to insert data into my 'ArticlesTBL' table. I also want to upload an image file to mt computer. Previously I was working in Visual Studio just with the data controls within my .aspx file to insert data, so trying to do this in C# is new to me. Any help would really be appreciated. Thanks.

下面是我正在使用的代码,试图将数据插入到我的'ArticlesTBL'表中。我还想将图像文件上传到mt计算机。以前我在Visual Studio中使用.aspx文件中的数据控件来插入数据,所以在C#中尝试这样做对我来说是新的。真的很感激任何帮助。谢谢。

I am getting an error reading: Incorrect syntax near 'UploadedUserFiles'.

我收到错误读取:'UploadedUserFiles'附近的语法不正确。

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.IO;
using System.Data;
using System.Data.SqlClient;
using System.Web.Configuration;

public partial class _CopyOfSubmitArticle : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{

}

protected void uploadbutton_Click(object sender, EventArgs e)
{
    string UpPath = Server.MapPath("~/UploadedUserFiles");

        int imgSize = FileUpload1.PostedFile.ContentLength;
        string imgName = FileUpload1.FileName;
        string imgPath = "UploadedUserFiles/" + imgName;

        if (FileUpload1.PostedFile.ContentLength > 1000000)
        {
            Page.ClientScript.RegisterClientScriptBlock(typeof(Page), "Alert", "alert('File is too big')", true);
        }

        else
        {
            FileUpload1.SaveAs(Server.MapPath(imgPath));
            myinfo.Text = "file" + imgPath + "uploaded.";
        }



    String connectionString = WebConfigurationManager.ConnectionStrings["ConnectAntiFrack"].ConnectionString;

    SqlConnection myConnection = new SqlConnection(connectionString);

    myConnection.Open();

    string ArticleImg = "UploadedUserFiles/" + FileUpload1.FileName;
    string ArticleTitle = ArticleTitleTextBox.Text;
    string ArticleContent = ArticleContentTextBox.Text;
    string ArticleType = ArticleTypeDropdown.Text.ToString();
    string ArticleAuthor = ArticleAuthorTextBox.Text.ToString();
    string ArticleBrief = ArticleBriefTextBox.Text;
    string ArticleDateTime = DateTime.Now.ToShortTimeString();

    string query = "INSERT INTO ArticlesTBL (ArticleTitle, ArticleContent, ArticleType, ArticleImg, ArticleBrief,  ArticleDateTime, ArticleAuthor, ArticlePublished, ArticleHomeDisplay, ArticleViews) VALUES (" + ArticleTitle +", " + ArticleContent +", "+ ArticleType +" " + ArticleImg +", "+ ArticleBrief +"," + ArticleDateTime + ", "+ ArticleAuthor +",'False', 'False', '0')";

    SqlCommand myCommand = new SqlCommand(query, myConnection);

    myCommand.ExecuteNonQuery();

    //       myinfo.Text = "connection to db is made";
    myConnection.Close();

}

2 个解决方案

#1


29  

You should use parameters in your query to prevent attacks, like if someone entered '); drop table ArticlesTBL;--' as one of the values.

您应该在查询中使用参数来防止攻击,例如有人输入'); drop table ArticlesTBL; - '作为其中一个值。

string query = "INSERT INTO ArticlesTBL (ArticleTitle, ArticleContent, ArticleType, ArticleImg, ArticleBrief,  ArticleDateTime, ArticleAuthor, ArticlePublished, ArticleHomeDisplay, ArticleViews)";
query += " VALUES (@ArticleTitle, @ArticleContent, @ArticleType, @ArticleImg, @ArticleBrief, @ArticleDateTime, @ArticleAuthor, @ArticlePublished, @ArticleHomeDisplay, @ArticleViews)";

SqlCommand myCommand = new SqlCommand(query, myConnection);
myCommand.Parameters.AddWithValue("@ArticleTitle", ArticleTitleTextBox.Text);
myCommand.Parameters.AddWithValue("@ArticleContent", ArticleContentTextBox.Text);
// ... other parameters
myCommand.ExecuteNonQuery();

如何使用C#将数据插入SQL表以及实现上传功能?

(xkcd)

(XKCD)

#2


2  

using System;
using System.Data;
using System.Data.SqlClient;

namespace InsertingData
{
    class sqlinsertdata
    {
        static void Main(string[] args)
        {
            try
            { 
            SqlConnection conn = new SqlConnection("Data source=USER-PC; Database=Emp123;User Id=sa;Password=sa123");
            conn.Open();
                SqlCommand cmd = new SqlCommand("insert into <Table Name>values(1,'nagendra',10000);",conn);
                cmd.ExecuteNonQuery();
                Console.WriteLine("Inserting Data Successfully");
                conn.Close();
        }
            catch(Exception e)
            {
                Console.WriteLine("Exception Occre while creating table:" + e.Message + "\t"  + e.GetType());
            }
            Console.ReadKey();

    }
    }
}

#1


29  

You should use parameters in your query to prevent attacks, like if someone entered '); drop table ArticlesTBL;--' as one of the values.

您应该在查询中使用参数来防止攻击,例如有人输入'); drop table ArticlesTBL; - '作为其中一个值。

string query = "INSERT INTO ArticlesTBL (ArticleTitle, ArticleContent, ArticleType, ArticleImg, ArticleBrief,  ArticleDateTime, ArticleAuthor, ArticlePublished, ArticleHomeDisplay, ArticleViews)";
query += " VALUES (@ArticleTitle, @ArticleContent, @ArticleType, @ArticleImg, @ArticleBrief, @ArticleDateTime, @ArticleAuthor, @ArticlePublished, @ArticleHomeDisplay, @ArticleViews)";

SqlCommand myCommand = new SqlCommand(query, myConnection);
myCommand.Parameters.AddWithValue("@ArticleTitle", ArticleTitleTextBox.Text);
myCommand.Parameters.AddWithValue("@ArticleContent", ArticleContentTextBox.Text);
// ... other parameters
myCommand.ExecuteNonQuery();

如何使用C#将数据插入SQL表以及实现上传功能?

(xkcd)

(XKCD)

#2


2  

using System;
using System.Data;
using System.Data.SqlClient;

namespace InsertingData
{
    class sqlinsertdata
    {
        static void Main(string[] args)
        {
            try
            { 
            SqlConnection conn = new SqlConnection("Data source=USER-PC; Database=Emp123;User Id=sa;Password=sa123");
            conn.Open();
                SqlCommand cmd = new SqlCommand("insert into <Table Name>values(1,'nagendra',10000);",conn);
                cmd.ExecuteNonQuery();
                Console.WriteLine("Inserting Data Successfully");
                conn.Close();
        }
            catch(Exception e)
            {
                Console.WriteLine("Exception Occre while creating table:" + e.Message + "\t"  + e.GetType());
            }
            Console.ReadKey();

    }
    }
}