我有部署下面的描述中.dbproj项目中创建一个SQL Server数据库表:
I have an SQL Server database table created by deploying the following description in a .dbproj project:
CREATE TABLE [dbo].[Tasks]
(
TaskId uniqueidentifier primary key,
State int not null,
)
和我想插入一行到该表具有以下code:
and I want to insert a row into that table with the following code:
using( SqlTransaction transaction = connection.BeginTransaction() ) {
using( SqlCommand command = connection.CreateCommand() ) {
command.CommandText = "INSERT INTO Tasks VALUES( \"" +
Guid.NewGuid().ToString() + "\", 0)";
command.Transaction = transaction;
command.ExecuteNonQuery();
transaction.Commit();
}
}
在的ExecuteNonQuery()
运行的exeption被抛出话说
when ExecuteNonQuery()
runs an exeption is thrown saying
名称[字符串再经过我的GUID presentation]是不是在这方面允许的。
The name [the string representation of the GUID I passed] is not permitted in this context.
这是怎么回事?我也同样将数据插入到一个SQLite表previously和它的工作。我如何通过一个GUID到一个SQL INSERT语句?
What's up? I did the same to insert data into an SQLite table previously and it worked. How do I pass a GUID into an SQL INSERT statement?
使用参数化查询,就像这样:
Use a parameterized query, like so:
command.CommandText = "INSERT INTO Tasks VALUES( @id, 0)";
command.Parameters.Add( "@id", SqlDbType.UniqueIdentifier, 16 ).Value = value;
这种方式,数据库驱动程序格式化你的价值。这是一个很好的做法,也将有助于保护您的数据库从SQL注入攻击。
This way, the database driver formats the value for you. This is a good practice that will also help protect your database from SQL Injection attacks.
另外,也可以让数据库生成的GUID为您提供:
Alternatively, you could let the database generate the guid for you:
command.CommandText = "INSERT INTO Tasks VALUES( NEWID(), 0)";