向某个表中插入新行时,有两种方式,一种是相对低效的方式是动态构建SQL语句,也就是生成包含CommandText属性中所有必要信息的字符串。这不是推荐的最佳做法,有SQL注入攻击的风险。

更好的方法是使用命令参数的做法,命令参数在命令文本中是点位符,标记出将被替代的值的位置。在SQL Server中使用命名参数(named parameters),这些参数以@符号开始,后跟不带空格的参数名。如:INSERT INTO MyTable VALUES(@MyName,@MyNumber)

使用命令参数实例:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Data;
using System.Data.SqlClient;

namespace CommandParameters
{
    class Program
    {
        static void Main(string[] args)
        {
            string fname = "tan";
            string lname = "ding";
            SqlConnection conn = new SqlConnection(@"
            server=.;
            integrated security=true;
            database = northwind");
            string sqlqry = @"select count(*) from employees";
            string sqlins = @"insert into employees(firstname,lastname) values(@fname,@lname)";
            string sqldel = @"delete from employees where firstname=@fname and lastname=@lname";

            SqlCommand cmdqry = new SqlCommand(sqlqry, conn);
            SqlCommand cmdnon = new SqlCommand(sqlins, conn);

            cmdnon.Prepare();
            cmdnon.Parameters.Add("@fname", SqlDbType.NVarChar, 10);
            cmdnon.Parameters.Add("@lname", SqlDbType.NVarChar, 20);

            try
            {
                conn.Open();
                Console.WriteLine("Before Insert:Number of employees {0}\n", cmdqry.ExecuteScalar());

                cmdnon.Parameters["@fname"].Value = fname;
                cmdnon.Parameters["@lname"].Value = lname;
                Console.WriteLine("Executing statement {0}", cmdnon.CommandText);
                cmdnon.ExecuteNonQuery();
                Console.WriteLine("After Insert:Number of employees {0}\n", cmdqry.ExecuteScalar());

                cmdnon.CommandText = sqldel;
                Console.WriteLine("Executing statement {0}", cmdnon.CommandText);
                cmdnon.ExecuteNonQuery();
                Console.WriteLine("After Delele:Number of employees {0}\n", cmdqry.ExecuteScalar());
            }
            catch (SqlException ex)
            {
                Console.WriteLine(ex.ToString());
            }
            finally
            {
                conn.Close();
                Console.WriteLine("Connection Closed.");
            }
            Console.ReadKey();
        }
    }
}

命令对象SqlCommand(五)命令参数_scala

说明:

将参数@fname和@lname添加到待参数化的命令对象的Parameters集合属性中:

cmdnon.Prepare();
            cmdnon.Parameters.Add("@fname", SqlDbType.NVarChar, 10);
            cmdnon.Parameters.Add("@lname", SqlDbType.NVarChar, 20);

SqlDbType枚举类型包含针对每一种SQL Server的数据类型的成员。

最后,在执行命令前需要设定参数值:

      cmdnon.Parameters["@fname"].Value = fname;
                cmdnon.Parameters["@lname"].Value = lname;