/// <summary>
/// 增加一条数据
/// </summary>
public string Add(SalesServer.Model.Inventory model)
{
model.cInvCode=GetMaxId();
StringBuilder strSql=new StringBuilder();
strSql.Append("insert into Inventory(");
strSql.Append("cInvCode,cInvName,cBarCode,cInvStd,cInvClass,cComUnit,cInvProperty1,cInvProperty2,cInvProperty3,Memo)");
strSql.Append(" values (");
strSql.Append("@cInvCode,@cInvName,@cBarCode,@cInvStd,@cInvClass,@cComUnit,@cInvProperty1,@cInvProperty2,@cInvProperty3,@Memo)");
SqlParameter[] parameters = {
new SqlParameter("@cInvCode", SqlDbType.Char,8),
new SqlParameter("@cInvName", SqlDbType.Char,100),
new SqlParameter("@cBarCode", SqlDbType.Char,50),
new SqlParameter("@cInvStd", SqlDbType.Char,50),
new SqlParameter("@cInvClass", SqlDbType.Char,10),
new SqlParameter("@cComUnit", SqlDbType.Char,20),
new SqlParameter("@cInvProperty1", SqlDbType.Char,50),
new SqlParameter("@cInvProperty2", SqlDbType.Char,50),
new SqlParameter("@cInvProperty3", SqlDbType.Char,50),
new SqlParameter("@Memo", SqlDbType.Char,100)};
parameters[0].Value = model.cInvCode;
parameters[1].Value = model.cInvName;
parameters[2].Value = model.cBarCode;
parameters[3].Value = model.cInvStd;
parameters[4].Value = model.cInvClass;
parameters[5].Value = model.cComUnit;
parameters[6].Value = model.cInvProperty1;
parameters[7].Value = model.cInvProperty2;
parameters[8].Value = model.cInvProperty3;
parameters[9].Value = model.Memo; DbHelperSQL.ExecuteSql(strSql.ToString(),parameters);
return model.cInvCode;
}
------------------------------------------------------------------
/// <summary>
/// 增加一条数据
/// </summary>
public string Add(SalesServer.Model.Inventory model)
{
model.cInvCode=GetMaxId();
StringBuilder strSql=new StringBuilder();
strSql.Append("insert into Inventory(");
strSql.Append("cInvCode,cInvName,cBarCode,cInvStd,cInvClass,cComUnit,cInvProperty1,cInvProperty2,cInvProperty3,Memo");
strSql.Append(")");
strSql.Append(" values (");
strSql.Append("'"+model.cInvCode+"',");
strSql.Append("'"+model.cInvName+"',");
strSql.Append("'"+model.cBarCode+"',");
strSql.Append("'"+model.cInvStd+"',");
strSql.Append("'"+model.cInvClass+"',");
strSql.Append("'"+model.cComUnit+"',");
strSql.Append("'"+model.cInvProperty1+"',");
strSql.Append("'"+model.cInvProperty2+"',");
strSql.Append("'"+model.cInvProperty3+"',");
strSql.Append("'"+model.Memo+"'");
strSql.Append(")");
DbHelperSQL.ExecuteSql(strSql.ToString());
return model.cInvCode;
}这两种方式究竟除了写法不同而已,本质有些什么区别,那种更好?我以前为了简单就直接写的SQL语句,有什么弊端吗?TKS
/// 增加一条数据
/// </summary>
public string Add(SalesServer.Model.Inventory model)
{
model.cInvCode=GetMaxId();
StringBuilder strSql=new StringBuilder();
strSql.Append("insert into Inventory(");
strSql.Append("cInvCode,cInvName,cBarCode,cInvStd,cInvClass,cComUnit,cInvProperty1,cInvProperty2,cInvProperty3,Memo)");
strSql.Append(" values (");
strSql.Append("@cInvCode,@cInvName,@cBarCode,@cInvStd,@cInvClass,@cComUnit,@cInvProperty1,@cInvProperty2,@cInvProperty3,@Memo)");
SqlParameter[] parameters = {
new SqlParameter("@cInvCode", SqlDbType.Char,8),
new SqlParameter("@cInvName", SqlDbType.Char,100),
new SqlParameter("@cBarCode", SqlDbType.Char,50),
new SqlParameter("@cInvStd", SqlDbType.Char,50),
new SqlParameter("@cInvClass", SqlDbType.Char,10),
new SqlParameter("@cComUnit", SqlDbType.Char,20),
new SqlParameter("@cInvProperty1", SqlDbType.Char,50),
new SqlParameter("@cInvProperty2", SqlDbType.Char,50),
new SqlParameter("@cInvProperty3", SqlDbType.Char,50),
new SqlParameter("@Memo", SqlDbType.Char,100)};
parameters[0].Value = model.cInvCode;
parameters[1].Value = model.cInvName;
parameters[2].Value = model.cBarCode;
parameters[3].Value = model.cInvStd;
parameters[4].Value = model.cInvClass;
parameters[5].Value = model.cComUnit;
parameters[6].Value = model.cInvProperty1;
parameters[7].Value = model.cInvProperty2;
parameters[8].Value = model.cInvProperty3;
parameters[9].Value = model.Memo; DbHelperSQL.ExecuteSql(strSql.ToString(),parameters);
return model.cInvCode;
}
------------------------------------------------------------------
/// <summary>
/// 增加一条数据
/// </summary>
public string Add(SalesServer.Model.Inventory model)
{
model.cInvCode=GetMaxId();
StringBuilder strSql=new StringBuilder();
strSql.Append("insert into Inventory(");
strSql.Append("cInvCode,cInvName,cBarCode,cInvStd,cInvClass,cComUnit,cInvProperty1,cInvProperty2,cInvProperty3,Memo");
strSql.Append(")");
strSql.Append(" values (");
strSql.Append("'"+model.cInvCode+"',");
strSql.Append("'"+model.cInvName+"',");
strSql.Append("'"+model.cBarCode+"',");
strSql.Append("'"+model.cInvStd+"',");
strSql.Append("'"+model.cInvClass+"',");
strSql.Append("'"+model.cComUnit+"',");
strSql.Append("'"+model.cInvProperty1+"',");
strSql.Append("'"+model.cInvProperty2+"',");
strSql.Append("'"+model.cInvProperty3+"',");
strSql.Append("'"+model.Memo+"'");
strSql.Append(")");
DbHelperSQL.ExecuteSql(strSql.ToString());
return model.cInvCode;
}这两种方式究竟除了写法不同而已,本质有些什么区别,那种更好?我以前为了简单就直接写的SQL语句,有什么弊端吗?TKS
string name="张三";
string SQL="select * from 表名 where name = '"+name"'";
其实ADO.NET里的 parameters 称为参数,也就是你那个string name成为了一个参数进去
比如 Comment cmd = new Comment(select * from 表名 where name=?);
cmd.Parameters.Add("@name",类型,大小);
cmd.Parameters["@name"]=...
上面那个问号(?)就是参数 代替了你"拼"的出的SQL语句中的name
这样是ADO.NET中推荐的 不仅使安全系数增强了,而且代码可读性也大大提高了
大家一看到parameters就知道,必须要有参数声明,
还要给参数赋值(也就等于你"拼的那个SQL语句了)
但参数还可以有输出参数,输出参数是另外一回事
写错了 少了个"+"号
改为:
string SQL="select * from 表名 where name = '"+name + "'";
第一 代码看起来更加清晰
第二 使用参数模式 可以 一定程度上防止SQL注入..
第三 类型匹配 更加清晰 使用上更灵活