(1) splicing generates SQL statements:
string sql = "insert into czyb(yhm,mm,qx) values('" + txtName.Text + "','" + txtPassword.Text + "','" + cmbPriority.Text + "')";
OleDbCommand cmd = new OleDbCommand(sql, conn);
This method of writing is more complex and less secure, vulnerable to SQL injection attacks.
(2) Method using string.Format:
string sql = string.Format("insert into czyb(yhm,mm,qx) values('{0}','{1}','{2}')", txtName.Text, txtPassword.Text, cmbPriority.Text);
Readability is just better than the first (1) species.
(3) with a parameterized SQL statement:
string sql="insert into czyb(yhm,mm,qx) values (@yhm,@mm,@qx)";
OleDbCommand cmd = new OleDbCommand();
cmd.CommandText = sql;
cmd.Parameters.AddWithValue("@yhm", txtName.Text);
cmd.Parameters.AddWithValue("@mm", txtPassword.Text);
cmd.Parameters.AddWithValue("@qx", cmbPriority.Text);
cmd.Connection = conn;
conn.Open();
cmd.ExecuteNonQuery();
Clear code structure, stored procedures do not support databases (e.g., Access), recommended by this method.
(4) If the database supports stored procedures (such as SQL Server), you can call a stored procedure execution SQL:
SqlConnection conn = new SqlConnection(txtConn);
SqlCommand cmd = new SqlCommand("SearchContact", conn); //存储过程名称为SearchContact
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add("@name", SqlDbType.VarChar, 50); //传入参数
cmd.Parameters["@name"].Value = txtName.Text.Trim();
Because stored procedures are pre-compiled database, high efficiency, it is recommended.
(1) splicing generates SQL statements:
string sql = "insert into czyb(yhm,mm,qx) values('" + txtName.Text + "','" + txtPassword.Text + "','" + cmbPriority.Text + "')";
OleDbCommand cmd = new OleDbCommand(sql, conn);
This method of writing is more complex and less secure, vulnerable to SQL injection attacks.
(2) Method using string.Format:
string sql = string.Format("insert into czyb(yhm,mm,qx) values('{0}','{1}','{2}')", txtName.Text, txtPassword.Text, cmbPriority.Text);
Readability is just better than the first (1) species.
(3) with a parameterized SQL statement:
string sql="insert into czyb(yhm,mm,qx) values (@yhm,@mm,@qx)";
OleDbCommand cmd = new OleDbCommand();
cmd.CommandText = sql;
cmd.Parameters.AddWithValue("@yhm", txtName.Text);
cmd.Parameters.AddWithValue("@mm", txtPassword.Text);
cmd.Parameters.AddWithValue("@qx", cmbPriority.Text);
cmd.Connection = conn;
conn.Open();
cmd.ExecuteNonQuery();
Clear code structure, stored procedures do not support databases (e.g., Access), recommended by this method.
(4) If the database supports stored procedures (such as SQL Server), you can call a stored procedure execution SQL:
SqlConnection conn = new SqlConnection(txtConn);
SqlCommand cmd = new SqlCommand("SearchContact", conn); //存储过程名称为SearchContact
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add("@name", SqlDbType.VarChar, 50); //传入参数
cmd.Parameters["@name"].Value = txtName.Text.Trim();
Because stored procedures are pre-compiled database, high efficiency, it is recommended.