1、数据库操作函数
using System.Data.SqlClient;
/// <summary>
/// 连接数据库
/// </summary>
/// <returns>返回SqlConnection对象</returns>
public SqlConnection GetConnection()
{
//conn、ConnectionString在web.config
//string myStr = ConfigurationManager.AppSettings["ConnectionString"].ToString();
string myStr = ConfigurationManager.ConnectionStrings["conn"].ConnectionString;
SqlConnection myConn = new SqlConnection(myStr);
return myConn;
}
/// <summary>
///执行一条不返回结果的SqlCommand,通过一个已经存在的数据库连接
/// 使用参数数组提供参数
/// </summary>
/// <remarks>
/// 使用示例:
/// int result = ExecuteNonQuery(CommandType.StoredProcedure, "PublishOrders", new SqlParameter("@prodid", 24));
/// </remarks>
/// <param name="conn">一个现有的数据库连接</param>
/// <param name="commandType">SqlCommand命令类型 (存储过程, T-SQL语句, 等等。)</param>
/// <param name="commandText">存储过程的名字或者 T-SQL 语句</param>
/// <param name="commandParameters">以数组形式提供SqlCommand命令中用到的参数列表</param>
/// <returns>返回一个数值表示此SqlCommand命令执行后影响的行数</returns>
public int ExecuteNonQuery(CommandType cmdType, string cmdText, params SqlParameter[] commandParameters)
{
SqlConnection myConn = GetConnection();
SqlCommand cmd = new SqlCommand();
PrepareCommand(cmd, myConn, null, cmdType, cmdText, commandParameters);
int val = cmd.ExecuteNonQuery();
cmd.Parameters.Clear();
return val;
}
/// <summary>
/// 为执行命令准备参数
/// </summary>
/// <param name="cmd">SqlCommand 命令</param>
/// <param name="conn">已经存在的数据库连接</param>
/// <param name="trans">数据库事物处理</param>
/// <param name="cmdType">SqlCommand命令类型 (存储过程, T-SQL语句, 等等。)</param>
/// <param name="cmdText">Command text,T-SQL语句 例如 Select * from Products</param>
/// <param name="cmdParms">返回带参数的命令</param>
private static void PrepareCommand(SqlCommand cmd, SqlConnection conn, SqlTransaction trans, CommandType cmdType, string cmdText, SqlParameter[] cmdParms)
{
//判断数据库连接状态
if (conn.State != ConnectionState.Open)
conn.Open();
cmd.Connection = conn;
cmd.CommandText = cmdText;
//判断是否需要事物处理
if (trans != null)
cmd.Transaction = trans;
cmd.CommandType = cmdType;
if (cmdParms != null)
{
foreach (SqlParameter parm in cmdParms)
cmd.Parameters.Add(parm);
}
}
2、传入参数
using System.Data.SqlClient;
sql="insert into record(company,cas_no_all,image_all,ip_addr,date,remarks)
values(@company,@cas_no_all,@image_all,@ip_addr,@date,@remarks)";
SqlParameter[] parameter = new SqlParameter[] { new SqlParameter("@company", SqlDbType.NVarChar),
new SqlParameter("@cas_no_all", SqlDbType.NVarChar), new SqlParameter("@image_all", SqlDbType.NText),
new SqlParameter("@ip_addr", SqlDbType.NVarChar), new SqlParameter("@date", SqlDbType.NVarChar),
new SqlParameter("@remarks", SqlDbType.NText) };
3、调用
ExecuteNonQuery(CommandType.Text, sql, parameter);
参考及SqlHelper延伸阅读(包括MySql):
http://baike.baidu.com/view/2765538.htm
参数化查询好处:
1、防止sql注入式攻击;
2、参数化查询可以查询或写入含有单引号的字符串;
...等等
延伸阅读:
http://baike.baidu.com/view/3061939.htm