如何在我的 C# asp.net 4.0 项目中使用创建的 Web.Config 连接字符串？

发布于 2024-12-06 22:09:16 字数 1389 浏览 0 评论 0原文

实际上我是这个主题的新手，所以需要一些帮助。

我已经在 Web.Config 中添加了连接字符串

    <connectionStrings>
    <add name="LocalSqlServer" connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true" providerName="System.Data.SqlClient"/>
    </connectionStrings>

，并且知道，要使用它，我必须将此语句放在我的 C# 代码后面，

string connStr = ConfigurationManager.ConnectionStrings["LocalSqlServer"].ConnectionString;

这就是我所知道的。

我的问题是，

如果我想对我的 aspnetdb.mdf 数据库（Visual Studio 2010 中内置登录控件中内置的 ASP.NET 数据库）执行一些查询

，我该怎么办？完成我的任务
1) Web.Config 中没有连接字符串。和
2）代码隐藏中的硬代码

SqlConnection con = new SqlConnection("data source=.\\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true");
SqlCommand cmd = new SqlCommand();

protected void btnnameedit_Click(object sender, EventArgs e)
    {
        try
        {
            con.Open();
            cmd.CommandText = "update tamhankarnikhil set fname = '" + fname.Text + "'";
            cmd.Connection = con;
            cmd.ExecuteNonQuery();
            con.Close();
            fname.Text = "";
        }

        catch (Exception a)
        {
              Response.Write(a.Message);
        }
    }

原文

Actually I am new in this topic so required some help.

I have added connection string in Web.Config

    <connectionStrings>
    <add name="LocalSqlServer" connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true" providerName="System.Data.SqlClient"/>
    </connectionStrings>

and know that, to use it I have to put this statement in my C# code behind

string connStr = ConfigurationManager.ConnectionStrings["LocalSqlServer"].ConnectionString;

That's all I know.

My Question is

What should I do if I want to execute some query for my aspnetdb.mdf dataabase (Built in db of ASP.NET built in login contols in Visual Studio 2010)

Earlier, I was doing this to accomplish my task
1) No connection string in Web.Config. and
2) Hard code in codebehind

SqlConnection con = new SqlConnection("data source=.\\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true");
SqlCommand cmd = new SqlCommand();

protected void btnnameedit_Click(object sender, EventArgs e)
    {
        try
        {
            con.Open();
            cmd.CommandText = "update tamhankarnikhil set fname = '" + fname.Text + "'";
            cmd.Connection = con;
            cmd.ExecuteNonQuery();
            con.Close();
            fname.Text = "";
        }

        catch (Exception a)
        {
              Response.Write(a.Message);
        }
    }

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

悲凉≈ 2024-12-13 22:09:16

您可以执行以下操作：

protected void btnnameedit_Click(object sender, EventArgs e)
{
    try
    {
        string connStr = ConfigurationManager.ConnectionStrings["LocalSqlServer"].ConnectionString;
        using (var conn = new SqlConnection(connStr))
        using (var cmd = conn.CreateCommand())
        {
            conn.Open();
            cmd.CommandText = "UPDATE tamhankarnikhil SET fname = @fname";
            cmd.Parameters.AddWithValue("@fname", fname.Text); 
            cmd.ExecuteNonQuery();
            fname.Text = "";
        }
    }
    catch (Exception a)
    {
        Response.Write(a.Message);
    }
}

您会注意到使用参数化查询来避免 SQL 注入，由于您在构建 SQL 查询时使用的字符串连接，您的代码很容易受到 SQL 注入的影响。

您还会注意到，SqlConnection 和 SqlCommand 包装在 using 语句中，以确保即使在发生异常时也能正确处理它们。

Here's what you could do:

protected void btnnameedit_Click(object sender, EventArgs e)
{
    try
    {
        string connStr = ConfigurationManager.ConnectionStrings["LocalSqlServer"].ConnectionString;
        using (var conn = new SqlConnection(connStr))
        using (var cmd = conn.CreateCommand())
        {
            conn.Open();
            cmd.CommandText = "UPDATE tamhankarnikhil SET fname = @fname";
            cmd.Parameters.AddWithValue("@fname", fname.Text); 
            cmd.ExecuteNonQuery();
            fname.Text = "";
        }
    }
    catch (Exception a)
    {
        Response.Write(a.Message);
    }
}

You will notice the usage of parametrized queries to avoid SQL injection to which your code was vulnerable to due to the string concatenations you were using when constructing the SQL query.

You will also notice that the SqlConnection and SqlCommand are wrapped in using statements to ensure their proper disposal even in the event of an exception.

回复收藏 0 原文

~没有更多了~