参数化SQL(Parameters)使用示例
public partial class Form1 : Form
{
private string connString = "Data Source=.;DataBase=TestDB;UID=sa;PWD=lwm110";
SqlConnection conn;
DataTable dt = new DataTable();
public Form1()
{
InitializeComponent();
dgvStudent.DataSource = null;
dgvStudent.AutoGenerateColumns = false;
LoadData();
dgvStudent.DataSource = dt;
}
private void btnQuery_Click(object sender, EventArgs e)
{
//准备带有参数的SQL语句
string sql = "select SNO,SName,Gender,Birthday,MobileNO,SAddress from student";
sql += " where SNO like @SNO and SName like @SName";
if (comboBox1.Text.Contains("男")) sql += " and Gender='男'";
else if (comboBox1.Text.Contains("女")) sql += " and Gender='女'";
sql += " and MobileNO like @MobileNO";
SqlCommand cmd = new SqlCommand(sql, conn);
//填充参数
cmd.Parameters.AddWithValue("@SNO", "%" + txtSNO.Text.Trim() + "%");
cmd.Parameters.AddWithValue("@SName", "%" + txtSName.Text.Trim() + "%");
cmd.Parameters.AddWithValue("@MobileNO", "%" + txtMobile.Text.Trim() + "%");
try
{
conn.Open();
SqlDataReader objReader = cmd.ExecuteReader();
dt.Clear();
dt.Load(objReader);
conn.Close();
}
catch (Exception ex)
{
throw ex;
}
}
private void LoadData()
{
conn = new SqlConnection(connString);
string sql = "select SNO,SName,Gender,Birthday,MobileNO,SAddress from student";
SqlCommand cmd = new SqlCommand(sql, conn);
try
{
conn.Open();
SqlDataReader objReader = cmd.ExecuteReader();
dt.Load(objReader);
conn.Close();
}
catch (Exception ex)
{
throw ex;
}
}
}
========================参数数组应用示例========================
private void btnQuery_Click(object sender, EventArgs e)
{
//准备带有参数的SQL语句
string sql = "select SNO,SName,Gender,Birthday,MobileNO,SAddress from student";
sql += " where SNO like @SNO and SName like @SName";
if (comboBox1.Text.Contains("男")) sql += " and Gender='男'";
else if (comboBox1.Text.Contains("女")) sql += " and Gender='女'";
sql += " and MobileNO like @MobileNO";
//填充参数
//cmd.Parameters.AddWithValue("@SNO", "%" + txtSNO.Text.Trim() + "%");
//cmd.Parameters.AddWithValue("@SName", "%" + txtSName.Text.Trim() + "%");
//cmd.Parameters.AddWithValue("@MobileNO", "%" + txtMobile.Text.Trim() + "%");
//实例化参数数组
SqlParameter[] par = new SqlParameter[]
{
new SqlParameter("@SNO","%" + txtSNO.Text.Trim() + "%"),
new SqlParameter("@SName","%"+txtSName.Text.Trim()+"%"),
new SqlParameter("@MobileNO","%" + txtMobile.Text.Trim() + "%"),
};
try
{
SqlDataReader objReader = GetReader(sql,par);
dt.Clear();
dt.Load(objReader);
conn.Close();
}
catch (Exception ex)
{
throw ex;
}
}
-------------------------------------------------------------------------------------------
private SqlDataReader GetReader(string sql,SqlParameter[] para)
{
conn = new SqlConnection(connString);
SqlCommand cmd = new SqlCommand(sql, conn);
try
{
conn.Open();
cmd.Parameters.AddRange(para);
return cmd.ExecuteReader(CommandBehavior.CloseConnection);
}
catch (Exception ex)
{
throw ex;
}
}