如何使用存储过程ASP.NET C#执行此代码
问题描述:
我想使用存储过程在aspx.cs页面中使用搜索查询。怎么样?
我想知道如何在Aspx.cs页面上做到这一点?
请检查我的存储过程代码。
我尝试过:
i want to use search query in aspx.cs page using stored procedure. how ?
i want to know how to do it on Aspx.cs page ?
please check my stored procedure code .
What I have tried:
ALTER PROCEDURE dbo.SP_searchitem
(
@srch varchar(50)
)
AS
BEGIN
SELECT phonename
FROM legacy WHERE phonename=@srch
END
protected void Button1_Click(object sender, EventArgs e)
{
string search = TextBox1.Text;
Session["search"] = search;
Response.Redirect("Mainsearch.aspx");
}
SqlConnection con = new SqlConnection();
string search;
string query;
protected void Page_Load(object sender, EventArgs e)
{
con.ConnectionString = ConfigurationManager.ConnectionStrings["conn"].ConnectionString;
con.Open();
try
{
search = Convert.ToString(Session["search"]);
query = "select * from legacy where upper(phonename) like '%" + search.ToUpper().ToString() + "%'";
SqlDataSource1.SelectCommand = query;
SqlDataSource1.DataBind();
lbl_page_heading.Text = Convert.ToString(search);
Page.Title = Convert.ToString(search);
lbldate.Text = "" + "" + (DateTime.Now.ToString("dd/MMM/yyyy"));
con.Close();
}
catch (Exception ex)
{
Response.Write(ex.ToString());
}
}
答
编写一个已排序的过程来使用参数,然后...你不使用存储过程,而是让自己对SQL注入敞开大门。
你不需要SP来做基本的选择。一定要在你的应用程序中编码,但使用参数化查询来避免数据库损坏或被用户删除...
You write a sorted procedure to use a parameter, and then ... you don't use the stored procedure but leave yourself wide open to SQL injection instead.
You don't need an SP to do a basic select. Code it in you app by all means, but use a parameterised query to avoid your database being damages or deleted by your users...
search = Convert.ToString(Session["search"]);
query = "SELECT * FROM legacy WHERE UPPER(phonename) like '%' + @SS + '%'";
SqlDataSource1.SelectCommand = query;
SqlDataSource1.SelectParameters.AddWithValue("@SS", search.ToUpper());
Quote:
实际上我不知道如何使用存储过程与Aspx.cs
actually i don't know how to use stored procedure with Aspx.cs
它与原始查询版本几乎相同:
It's pretty much the same as the "raw query" version:
SqlDataSource1.SelectCommandType = SqlDataSourceCommandType.StoredProcedure;
SqlDataSource1.SelectCommand = "SP_searchitem";
SqlDataSource1.SelectParameters.AddWithValue("@srch", "Text to search for");