SqlDataSource.InsertParameters Property
Assembly: System.Web (in system.web.dll)
/** @property */ public ParameterCollection get_InsertParameters ()
public function get InsertParameters () : ParameterCollection
Not applicable.
Property Value
A ParameterCollection that contains the parameters used by the InsertCommand property.The InsertParameters property retrieves the InsertParameters property that is contained by the SqlDataSourceView object that is associated with the SqlDataSource control.
If the InsertCommand property contains a parameterized SQL query, the InsertParameters collection contains any Parameter objects that correspond to the parameter placeholders in the SQL string.
Depending on the ADO.NET provider, the order of the parameters in the InsertParameters collection might be important. The System.Data.OleDb and System.Data.Odbc providers associate the parameters in the collection according to the order that the parameters appear in the parameterized SQL query. The System.Data.SqlClient provider, which is the default ADO.NET provider for the SqlDataSource control, associates the parameters in the collection by matching the name of the parameter with a placeholder alias in the SQL query. For more information on parameterized SQL queries and commands, see Parameters with the SqlDataSource and AccessDataSource Controls.
 Security Note: |
|---|
| Values are inserted into parameters without validation, which is a potential security threat. Use the Filtering event to validate parameter values before executing the query. For more information, see Script Exploits Overview (Visual Studio). |
The following code example demonstrates how to insert data into a database using the SqlDataSource control and a simple Web Forms page. The current data in the Data table is displayed in the DropDownList control. You can add new records by entering values in the TextBox controls, and then clicking the Insert button. When the Insert button is clicked, the specified values are inserted into the database, and the DropDownList control is refreshed.
| Security Note: |
|---|
| This example has a text box that accepts user input, which is a potential security threat, and values are inserted into parameters without validation, which is also a potential security threat. Use the Inserting event to validate parameter values before executing the query. For more information, see Script Exploits Overview (Visual Studio). |
<%@Page Language="VJ#" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
private void InsertShipper(Object source, System.EventArgs e)
{
SqlDataSource1.Insert();
} //InsertShipper
</script>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>ASP.NET Example</title>
</head>
<body>
<form id="form1" runat="server">
<asp:dropdownlist
id="DropDownList1"
runat="server"
datasourceid="SqlDataSource1"
datatextfield="CompanyName"
datavaluefield="ShipperID" />
<asp:sqldatasource
id="SqlDataSource1"
runat="server"
connectionstring="Data Source=localhost;Integrated Security=SSPI;Initial Catalog=Northwind;Connect Timeout=15"
selectcommand="SELECT CompanyName,ShipperID FROM Shippers"
insertcommand="INSERT INTO Shippers (CompanyName,Phone) VALUES (@CoName,@Phone)">
<insertparameters>
<asp:formparameter name="CoName" formfield="CompanyNameBox" />
<asp:formparameter name="Phone" formfield="PhoneBox" />
</insertparameters>
</asp:sqldatasource>
<br /><asp:textbox
id="CompanyNameBox"
runat="server" />
<asp:RequiredFieldValidator
id="RequiredFieldValidator1"
runat="server"
ControlToValidate="CompanyNameBox"
Display="Static"
ErrorMessage="Please enter a company name." />
<br /><asp:textbox
id="PhoneBox"
runat="server" />
<asp:RequiredFieldValidator
id="RequiredFieldValidator2"
runat="server"
ControlToValidate="PhoneBox"
Display="Static"
ErrorMessage="Please enter a phone number." />
<br /><asp:button
id="Button1"
runat="server"
text="Insert New Shipper"
onclick="InsertShipper" />
</form>
</body>
</html>
