插入到C＃中的SQL数据库＃

Question

我想插入到我的C＃应用​​程序中的SQL数据库。

我读过一些文档，想出了我认为会工作。事实上，当用户输入他们的数据并按下提交按钮时，应用程序会冻结一会儿，然后给我一个“SqlException”，并提到一些关于无法连接的信息。

我不确定我是否正确使用了连接字符串，所以我正在寻求帮助。

这些都是我用来建立查询并进行连接的方法：

private void btn_Submit_Click(object sender, EventArgs e) 
{ 
    if (isValidData()) 
    { 
     //MessageBox.Show("Valid", "All Entries Were Valid!"); 

     //CONVERT FORM VALUES AND STORE IN VARIABLES TO SEND TO MYSQL QUERY 
     DateTime saleTime = saleDatePicker.Value; 
     Decimal price = Convert.ToDecimal(txt_Price.Text); 
     string customerName = txt_CustomerName.Text; 
     string customerPhone = txt_CustomerPhone.Text; 
     string description = rTxt_Description.Text; 

     //Build Query string 
     string query = "INSERT into SALES VALUES ('" + saleTime + "','" + 
      price + "','" + customerName + "','" + customerPhone + "','" + 
      description + "');"; 

     insertValues(query); 

    } 
} 
private void insertValues(string q) 
{ 
    SqlConnection sqlConnection1 = new SqlConnection("Server=host;Database=dbname;User Id=username;Password=password;"); 
    SqlCommand cmd = new SqlCommand(); 
    SqlDataReader reader; 

    cmd.CommandText = q; 
    cmd.CommandType = CommandType.Text; 
    cmd.Connection = sqlConnection1; 

    sqlConnection1.Open(); 

    reader = cmd.ExecuteReader(); 
    // Data is accessible through the DataReader object here. 

    sqlConnection1.Close(); 
} 

Answer 1

我不知道你的连接字符串，但看到你的问题是标签与MySQL则你需要使用不同的类来与MySql“交谈”。您正在使用的那些现在用于使用Microsoft Sql Server的目的。

您需要更改SqlConnection，SqlCommand和SqlDataReader到MySQL对口命名MySqlConnection，MySqlCommand，MySqlDataReader。这些类在下载后可用，然后安装MySql NET/Connector，然后设置对MySql.Data.Dll的引用并将using MySql.Data.MySqlClient;添加到项目中

关于MySql的连接字符串，还需要遵循规则并使用关键字为explained in this site

这些是为程序提供工作可能性的基本步骤，但这里有一个很大的问题。它在sql命令中被称为字符串连接，并且这种习惯直接导致Sql Injection vulnerability。

您需要更改您的代码是这样的：

private void btn_Submit_Click(object sender, EventArgs e) 
{ 
    if (isValidData()) 
    { 

     //CONVERT FORM VALUES AND STORE IN VARIABLES TO SEND TO MYSQL QUERY 
     DateTime saleTime = saleDatePicker.Value; 
     Decimal price = Convert.ToDecimal(txt_Price.Text); 
     string customerName = txt_CustomerName.Text; 
     string customerPhone = txt_CustomerPhone.Text; 
     string description = rTxt_Description.Text; 

     // Create the query using parameter placeholders, not the actual stringized values.... 
     string query = "INSERT into SALES VALUES (@stime, @price, @cname,@cphone,@cdesc)"; 

     // Create a list of parameters with the actual values with the placeholders names 
     // Pay attention to the Size value for string parameters, you need to change it 
     // accordingly to your fields size on the database table. 
     List<MySqlParameter> prms = new List<MySqlParameter>() 
     { 
      new MySqlParameter {ParameterName="@stime", MySqlDbType=MySqlDbType.DateTime, Value = saleTime }, 
      new MySqlParameter {ParameterName="@price", MySqlDbType=MySqlDbType.Decimal, Value = price }, 
      new MySqlParameter {ParameterName="@cname", MySqlDbType=MySqlDbType.VarChar, Value = customerName, Size = 150 }, 
      new MySqlParameter {ParameterName="@cphone", MySqlDbType=MySqlDbType.VarChar, Value = customerPhone , Size = 150 }, 
      new MySqlParameter {ParameterName="@desc", MySqlDbType=MySqlDbType.VarChar, Value = description , Size = 150 } 
     }; 

     // Pass query and parameters to the insertion method. 
     // get the return value. if it is more than zero you are ok.. 
     int result = insertValues(query, prms); 
     // if(result > 0) 
     // .... insertion ok .... 
    } 
} 

private int insertValues(string q, List<MySqlParameter> parameters) 
{ 
    using(MySqlConnection con = new MySqlConnection(....)) 
    using(MySqlCommand cmd = new MySqlCommand(q, con)) 
    { 
     con.Open(); 
     cmd.Parameters.AddRange(parameters.ToArray()); 
     int rowsInserted = cmd.ExecuteNonQuery(); 
     return rowsInserted; 
    } 
}