SqlDataSource.InsertCommand Property

 

Gets or sets the SQL string that the SqlDataSource control uses to insert data into the underlying database.

Namespace:   System.Web.UI.WebControls
Assembly:  System.Web (in System.Web.dll)

member InsertCommand : string with get, set

Property Value

Type: System.String

An SQL string that the SqlDataSource uses to insert data.

The InsertCommand represents either an SQL query or the name of a stored procedure, and is used by the Insert method.

Because different database products use different varieties of SQL, the syntax of the SQL string depends on the current ADO.NET provider being used, which is identified by the ProviderName property. If the SQL string is a parameterized query or command, the placeholder of the parameter also depends on the ADO.NET provider being used. For example, if the provider is the System.Data.SqlClient, which is the default provider for the SqlDataSource class, the placeholder of the parameter is '@parameterName'. However, if the provider is set to the System.Data.Odbc or System.Data.OleDb, the placeholder of the parameter is '?'. For more information about parameterized SQL queries and commands, see Using Parameters with the SqlDataSource Control.

The InsertCommand can be an SQL string or the name of a stored procedure, if the data source supports stored procedures.

This property delegates to the InsertCommand property of the SqlDataSourceView that is associated with the SqlDataSource control.

System_CAPS_security Security Note

For security purposes, the InsertCommand property is not stored is view state. Because it is possible to decode the contents of view state on the client, storing sensitive information about the database structure in view state could result in an information disclosure vulnerability.

System_CAPS_security Security Note

Values are inserted into parameters without validation, which is a potential security threat. Use the Filtering event to validate parameter values before executing the query. For more information, see Script Exploits Overview.

This section contains two code examples. The first code example demonstrates how to insert data into a database using the SqlDataSource control and a simple Web Forms page. The second code example demonstrates how to retrieve data from Microsoft SQL Server and display it in a GridView control and how to use a DetailsView control to see details of a selected row into the GridView control and as a form to insert new records.

System_CAPS_noteNote

These examples show how to use declarative syntax for data access. For information about how to access data by using code instead of markup, see Accessing data in Visual Studio.

The following code example demonstrates how to insert data into a database using the SqlDataSource control and a simple Web Forms page. The current data in the Data table is displayed in the DropDownList control. You can add new records by entering values into the TextBox controls, and then clicking the Insert button. When the Insert button is clicked, the specified values are inserted into the database, and the DropDownList control is refreshed.

System_CAPS_security Security Note

This example includes a text box that accepts user input, which is a potential security threat, and values are inserted into parameters without validation, which is also a potential security threat. Use the Inserting event to validate parameter values before executing the query. For more information, see Script Exploits Overview.

No code example is currently available or this language may not be supported.

The following code example demonstrates how to retrieve data from SQL Server and display it in a GridView control and how to use a DetailsView control to see details of a selected row in the GridView control and as a form to insert new records.

Initially, the data is displayed in the GridView control, and the selected row of the GridView is also displayed in the DetailsView control. The GridView and DetailsView controls use different data source controls; the one that is associated with the DetailsView has the FilterExpression and FilterParameters properties, which ensures that the selected row of the GridView is displayed.

If you click the automatically generated Insert button of the DetailsView control, the DetailsView shows a different user interface, which is used to insert a new record. The example uses a stored procedure to insert records and returns the primary key of the inserted row. If you insert a record, the DetailsView automatically populates the InsertParameters collection with values from the bound columns and calls the Insert method. The DetailsView can infer the correct parameters from any BoundField object and a parameter for the TemplateField object when the ASP.NET two-way data-binding syntax is used. In this example, an additional parameter is added in the OnInserting event handler to handle the primary key that is returned by the stored procedure.

Finally, after data is inserted into the database by the DetailsView control, the OnInserted event handler is called to handle the Inserted event, the value of the primary key of the inserted row is displayed and the DataBind method of the GridView control is called explicitly to refresh the data.

No code example is currently available or this language may not be supported.

.NET Framework
Available since 2.0
Return to top
Show: