动态地在单击按钮上插入多个记录

Question

我有两张桌子.

在这里按照课程和学期分配科目.

1] Assign_Subjects

Faculty_Id      varchar(20)     
Course_Id       varchar(20)     
Semester        varchar(20)     
Subject_Id      varchar(20)     
Subject_Name    varchar(50)     
Time            varchar(50)

INSERT INTO Assign_Subjects Values("F1","BCA",2,"DS","Data Structure","10-11")
INSERT INTO Assign_Subjects Values("F1","BCA",2,"C","C Programming","11-12")
INSERT INTO Assign_Subjects Values("F1","BCA",1,"QB","Q Basic","1-2")
INSERT INTO Assign_Subjects Values("F2","BCA",3,"SS","System Structure","10-11")
INSERT INTO Assign_Subjects Values("F2","BCA",3,"AC","Accountancy","11-12")

这里的教职员工要为学生加分

2] Exam_Result

Result_Id           int(Auto no and PK)
Enroll_Number       varchar(50) Checked
Student_Name        varchar(100)    Checked
Course_Id           varchar(50) Checked
Semester            varchar(50) Checked
Subject_Id          varchar(50) Checked
Subject_Name        varchar(50) Checked
MarksObtained       numeric(18, 0)  Checked
Exam_Type           varchar(50) Checked

现在我的问题是如何插入所有指定的主题标记为 to Exam_Result on 单按钮单击

我想让大家知道我想要的是。

在FillResult.aspx，中，我希望所有主题名都带有文本框(或任何其他可能的方式，如网格视图/dalalist等)，由管理

和按钮(onClick事件)指定以填充标记.

注:主题按指定的方式出现，而不是固定的主题数，可能是3或5或更多。

那么，我怎么可能这样做……？

通过网格视图、编辑模板或存储过程？

欢迎所有偷渡者.

Answer 1

如果您不知道要输入标记的主题的确切no -我们应该如何生成一个查询来完成它呢？

向您展示如何防范SQL注入攻击，您将SQL置于存储过程中，这一点永远不会少：

create PROCEDURE [dbo].[pr_GetAssignedSubjectsByFacultyIdAndSemester]
@FacultyID int,
@Semester nvarchar(MAX)
AS
BEGIN
SET NOCOUNT ON;
SELECT [Faculty], [Subjects],[CreatedBy],[CreatedDate],[ModifiedBy],[ModifiedDate]
 FROM [dbo].[tblNotSure]
WHERE [FacultyID] = @FacultyID
AND [Semester] = @Semester
AND [IsDeleted] = 0
END

然后在代码中我们调用存储过程，注意参数化的命令，这样可以防止SQL注入攻击。例如，假设我们输入了学期ddl/textbox (或使用FireBug编辑元素值)1 UNION SELECT * FROM --执行此即席SQL可以返回SQL用户帐户列表，但是传递了参数化命令避免了这个问题：

public static aClassCollection GetAssignedSubjectsByFacultyIdAndSemester(int facultyId, string semester)
{
var newClassCollection = new aClassCollection();
    using (var connection = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlConn"].ConnectionString))
    {
        using (var command = new SqlCommand("pr_GetAssignedSubjectsByFacultyIdAndSemester", connection))
        {
            try
            {
                command.CommandType = CommandType.StoredProcedure;
                command.Parameters.AddWithValue("@facultyId", facultyId);
                command.Parameters.AddWithValue("@semester", semester);
                connection.Open();
                SqlDataReader dr = command.ExecuteReader();
                while (dr.Read())
                {
                    newClassCollection.Add(new Class(){vals = dr["vals"].ToString()});
                }
            }
            catch (SqlException sqlEx)
            {
             //at the very least log the error
            }
            finally
            {
             //This isn't needed as we're using the USING statement which is deterministic                    finalisation, but I put it here (in this answer) to explain the Using...
                connection.Close();
            }
        }
    }

    return newClassCollection;
}