using (DataConnection conn = new DataConnection())
{
conn.CommandText = @"insert into ruku (jcmc,dj,ydj,cbs,syfw,xq,zdh,bianz,cbsj,kcmc,sl,xyr,xbdh,gysh,yxjch,jsbl)
select jcmc,@xgdj,dj,cbs,syfw,xq,zdh,bianz,cbsj,kcmc,sl,xyr,xbdh,gysh,@yxjch,@jsbl from shjc
where jcmc=@jcmc and dj=@dj and cbs=@cbs and xq=@xq and rk_flag=0
update shjc set rk_flag=1 where jcmc=@jcmc and dj=@dj and cbs=@cbs and xq=@xq"; conn.Parameters.Clear();
conn.Parameters.Add("@jcmc", SqlDbType.Char).Value = jcmc;
conn.Parameters.Add("@dj", SqlDbType.Money).Value = dj;
conn.Parameters.Add("@cbs", SqlDbType.Char).Value = cbs;
conn.Parameters.Add("@xq", SqlDbType.Char).Value = xq;
conn.Parameters.Add("@jsbl", SqlDbType.Float).Value = jsbl;
conn.Parameters.Add("@yxjch", SqlDbType.Char);
if (TextBox1.Text == "")
{
xgdj = Convert.ToDecimal(Labeldj.Text);
}
else
{
xgdj = Convert.ToDecimal(TextBox1.Text);
}
conn.Parameters.Add("@xgdj", SqlDbType.Money).Value = xgdj; if (DropDownListYXJC.SelectedIndex == 0)
{
conn.Parameters["@yxjch"].IsNullable = true;
conn.Parameters["@yxjch"].Value = DBNull.Value;
}
else
{ conn.Parameters["@yxjch"].Value = DropDownListYXJC.SelectedValue;
}
try
{
conn.ExecuteNonQuery();
}
catch (SqlException ex)
{
pnlWrong.Visible = true;
wrongMsg = "错误!" + ex.Message;
return;
}
{
conn.CommandText = @"insert into ruku (jcmc,dj,ydj,cbs,syfw,xq,zdh,bianz,cbsj,kcmc,sl,xyr,xbdh,gysh,yxjch,jsbl)
select jcmc,@xgdj,dj,cbs,syfw,xq,zdh,bianz,cbsj,kcmc,sl,xyr,xbdh,gysh,@yxjch,@jsbl from shjc
where jcmc=@jcmc and dj=@dj and cbs=@cbs and xq=@xq and rk_flag=0
update shjc set rk_flag=1 where jcmc=@jcmc and dj=@dj and cbs=@cbs and xq=@xq"; conn.Parameters.Clear();
conn.Parameters.Add("@jcmc", SqlDbType.Char).Value = jcmc;
conn.Parameters.Add("@dj", SqlDbType.Money).Value = dj;
conn.Parameters.Add("@cbs", SqlDbType.Char).Value = cbs;
conn.Parameters.Add("@xq", SqlDbType.Char).Value = xq;
conn.Parameters.Add("@jsbl", SqlDbType.Float).Value = jsbl;
conn.Parameters.Add("@yxjch", SqlDbType.Char);
if (TextBox1.Text == "")
{
xgdj = Convert.ToDecimal(Labeldj.Text);
}
else
{
xgdj = Convert.ToDecimal(TextBox1.Text);
}
conn.Parameters.Add("@xgdj", SqlDbType.Money).Value = xgdj; if (DropDownListYXJC.SelectedIndex == 0)
{
conn.Parameters["@yxjch"].IsNullable = true;
conn.Parameters["@yxjch"].Value = DBNull.Value;
}
else
{ conn.Parameters["@yxjch"].Value = DropDownListYXJC.SelectedValue;
}
try
{
conn.ExecuteNonQuery();
}
catch (SqlException ex)
{
pnlWrong.Visible = true;
wrongMsg = "错误!" + ex.Message;
return;
}
试一下看看有没有问题。
这其实不用问的,把SQL语句放到SQL Server中执行一下就知道结果了。
,xq,zdh,bianz,cbsj,kcmc,sl
,xyr,xbdh,gysh,yxjch,jsbl)
select jcmc,@xgdj,dj,cbs,syfw,xq,zdh,bianz,cbsj,kcmc,sl,xyr,xbdh,gysh,@yxjch,@jsbl from shjc
where jcmc=@jcmc and dj=@dj and cbs=@cbs
and xq=@xq and rk_flag=0;
update shjc
set rk_flag=1
where jcmc=@jcmc and dj=@dj and cbs=@cbs and xq=@xq就是2条sql语句 用了同样的参数。 规范的写法是用一个;号隔开
这样可以最大化地防止SQL注入攻击