问题描述
我有2表像....
1] Assign_Subjects
Faculty_Id varchar(20)
Course_Id varchar(20)
Semester varchar(20)
Subject_Id varchar(20)
Subject_Name varchar(50)
Time varchar(50)
INSERT INTO Assign_Subjects Values("F1","BCA",2,"DS","Data Structure","10-11")
INSERT INTO Assign_Subjects Values("F1","BCA",2,"C","C Programming","11-12")
INSERT INTO Assign_Subjects Values("F1","BCA",1,"QB","Q Basic","1-2")
INSERT INTO Assign_Subjects Values("F2","BCA",3,"SS","System Structure","10-11")
INSERT INTO Assign_Subjects Values("F2","BCA",3,"AC","Accountancy","11-12")
2] Exam_Result
Result_Id int(Auto no and PK)
Enroll_Number varchar(50) Checked
Student_Name varchar(100) Checked
Course_Id varchar(50) Checked
Semester varchar(50) Checked
Subject_Id varchar(50) Checked
Subject_Name varchar(50) Checked
MarksObtained numeric(18, 0) Checked
Exam_Type varchar(50) Checked
i.m giving general idea what i want is....
NOTE: Subjects appears as per assigning not fix number of subjects it may be 3 or 5 or more
so, How's it possible for me to do so.....??
all amswers are most welcome.....
If you dont know the exact no of subjects to enter the marks - how are we supposed to generate a query to do it?
Never the less to show you to protect against SQL Injection attacks you put you SQL in Stored Procs:
create PROCEDURE [dbo].[pr_GetAssignedSubjectsByFacultyIdAndSemester]
@FacultyID int,
@Semester nvarchar(MAX)
AS
BEGIN
SET NOCOUNT ON;
SELECT [Faculty], [Subjects],[CreatedBy],[CreatedDate],[ModifiedBy],[ModifiedDate]
FROM [dbo].[tblNotSure]
WHERE [FacultyID] = @FacultyID
AND [Semester] = @Semester
AND [IsDeleted] = 0
END
Then in code we call the stored procedure, notice the Parameterised Commands, this prevents SQL Injection attacks. For example say we typed in the semester ddl/textbox (or using FireBug to edit the elements value) 1 UNION SELECT * FROM Master.Users - executing this ad-hoc SQL could return the list of SQL user accounts but passed though a parameterised command avoids the problem:
public static aClassCollection GetAssignedSubjectsByFacultyIdAndSemester(int facultyId, string semester)
{
var newClassCollection = new aClassCollection();
using (var connection = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ConnectionString))
{
using (var command = new SqlCommand("pr_GetAssignedSubjectsByFacultyIdAndSemester", connection))
{
try
{
command.CommandType = CommandType.StoredProcedure;
command.Parameters.AddWithValue("@facultyId", facultyId);
command.Parameters.AddWithValue("@semester", semester);
connection.Open();
SqlDataReader dr = command.ExecuteReader();
while (dr.Read())
{
newClassCollection.Add(new Class(){vals = dr["vals"].ToString()});
}
}
catch (SqlException sqlEx)
{
//at the very least log the error
}
finally
{
//This isn't needed as we're using the USING statement which is deterministic finalisation, but I put it here (in this answer) to explain the Using...
connection.Close();
}
}
}
return newClassCollection;
}
这篇关于在插入单一的点击muliple记录按钮动态的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!