I have data coming into my Model, how do I setup to insert the data in a table?
public string Name { get; set; }
public string Address { get; set; }
public string City { get; set; }
public string State { get; set; }
public string Zip { g开发者_开发知识库et; set; }
public Info()
{
using (SqlConnection connect = new SqlConnection(connections))
{
string query = "Insert Into Personnel_Data (Name, StreetAddress, City, State, Zip, HomePhone, WorkPhone)" +
"Values('" + Name + "','" + Address + "','" + City + "','" + State + "','" + Zip + "','" + ContactHPhone + "','" + ContactWPhone + "')";
SqlCommand command = new SqlCommand(query, connect);
connect.Open();
command.ExecuteNonQuery();
}
}
The Name, Address, City, and so on is null when the query is being run. How do I set this up?
Add parameters to your constructor or do the Insert from a non-constructor method after the constructor is called and the properties are set.
The code you provided is vulnerable to SQL injection, so you need to fix that as well.
Also, terminology wise, calling an insert a query is confusing. A query is a select, which is not what you are doing.
You do not need a stored procedure or an ORM, using ADO.NET as you are using it is fine. You may find that using an ORM reduces the amount of repetitive, error prone code that you have to write and maintain, but there are downsides to using ORMs.
You need to initialize your properties in constructor before you use it:
public string Name { get; set; }
public string Address { get; set; }
public string City { get; set; }
public string State { get; set; }
public string Zip { get; set; }
public string ContactHPhone { get;set; }
public string ContactWPhone { get;set; }
public Info(string name, string address, string city, string state, string zip, string contactHPhone, string contactWPhone)
{
Name = name;
Address = address;
City = city;
State = state;
Zip = zip;
ContactHPhone = contactHPhone;
ContactWPhone = contactWPhone;
using (SqlConnection connect = new SqlConnection(connections))
{
string query = "Insert Into Personnel_Data (Name, StreetAddress, City, State, Zip, HomePhone, WorkPhone)" +
"Values('" + Name + "','" + Address + "','" + City + "','" + State + "','" + Zip + "','" + ContactHPhone + "','" + ContactWPhone + "')";
SqlCommand command = new SqlCommand(query, connect);
connect.Open();
command.ExecuteNonQuery();
}
}
Edited:
The better way is to use parameters in your SQL string:
using (SqlConnection connect = new SqlConnection(connections))
{
string query = "Insert Into Personnel_Data (Name, StreetAddress, City, State, Zip, HomePhone, WorkPhone) Values(@name, @address, @city, @state, @zip, @contactHPhone, @contactWPhone)";
SqlCommand command = new SqlCommand(query, connect);
command.Parameters.AddWithValue("name", Name);
command.Parameters.AddWithValue("address", Address);
command.Parameters.AddWithValue("city", City);
command.Parameters.AddWithValue("state", State);
command.Parameters.AddWithValue("zip", Zip);
command.Parameters.AddWithValue("contactHPhone", ContactHPhone);
command.Parameters.AddWithValue("contactWPhone", ContactWPhone);
connect.Open();
command.ExecuteNonQuery();
}
First of all use parametrized queries if you are going to stick to your present approach
My suggestion is to go for an ORM like NHibernate, that will ease out things a lot for you
This looks like code from the object you are trying to persist (your Model.) The code to receive the update and commit the record will go in your Controller. Please post the code from your Controller.
Also, I would strongly recommend you consider an ORM like LINQ to SQL or LINQ to Entities. At least create a stored procedure- don't send raw SQL to the database.
精彩评论