Click here to Skip to main content
15,891,657 members
Search within:


Error incorrect syntax near )
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
When I click on submit it appears, I will be happy to help :)

What I have tried:

C#
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;

namespace ORI
{
    public partial class sign_up : System.Web.UI.Page
    {
        public string st = "";
        public string msg = "";
        public string sqlSelect = "";
        public string sqlInsert = "";
        protected void Page_Load(object sender, EventArgs e)
        {
            string fileName = "users2.mdf";
            string tableName = "usersTbL";

            if (Request.Form["submit"] != null)
            {
                string username = Request.Form["uName"];
                sqlSelect = "select uName from " + tableName;
                sqlSelect += " where uName = '" + username + "';";
                DataTable testTable = Helper.ExecuteDataTable(fileName, sqlSelect);
                
                if (testTable.Rows.Count != 0)
                {
                    msg = "user already exists";
                }
                else
                {
                    string id = Request.Form["id"];
                    string firstName = Request.Form["fName"];
                    string Nage = Request.Form["age"];
                    string prefix = Request.Form["prefix"];
                    string phone = Request.Form["phone"];
                    int Iage = int.Parse(Nage);

                    sqlInsert = "INSERT INTO " + tableName;
                    sqlInsert += "VALUES ('" + username + "'," + id + ",'" + firstName + "'," + Iage + "," + prefix + "," + phone + ");";

                    Helper.DoQuery(fileName, sqlInsert);

                }
            }
        }
    }
}
Posted
Updated 24-Feb-22 10:04am
v2
Add a Solution
Comments
PIEBALDconsult 24-Feb-22 15:32pm    
Please use a parameterized statement.

4 solutions

NOT like this:
sqlInsert = "INSERT INTO " + tableName;
                    sqlInsert += "VALUES ('" + username + "'," + id + ",'" + firstName + "'," + Iage + "," + prefix + "," + phone + ");";

because your code is Sql Injection[^] vulnerable!

Use parametrized queries instead!
Using Parameterized Queries with the SqlDataSource (C#) | Microsoft Docs[^]
How and Why to Use Parameterized Queries - Microsoft Tech Community[^]
Create Parameterized Queries in ADO.NET -- Visual Studio Magazine[^]
 
Share this answer
 
Posted
C#
sqlInsert = "INSERT INTO " + tableName;
sqlInsert += "VALUES ('" + username + "'," + id + ",'" + firstName + "'," + Iage + "," + prefix + "," + phone + ");";
//           ^ did you forgot a space before VALUES ?


Not necessary a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
How can I explain SQL injection without technical jargon? - Information Security Stack Exchange[^]
 
Share this answer
 
Posted
Comments
ori samarel 24-Feb-22 15:23pm    
Thanks, but now it does not show me all the data in DB🤣
Patrice T 24-Feb-22 15:47pm    
Improve your question, or ask another one with new problem.

Use Improve question to update your question.
So that everyone can pay attention to this information.
ori samarel 24-Feb-22 15:48pm    
OK, thank you
Firstly you really should be using a parameterized query as suggested by 'Patrice T and 'Maciej Los' to protect your database from SQL Injection.

If you had used a parameterized parameterized query you would not have to worry about balancing the single and double quotes especially when you get really large insert statements.

Your SQL statement is missing a few single quotes which is causing the problem.

However if you still want to use a string query the statement below should work.
SQL
string sqlInsert = "INSERT INTO " + tableName;
sqlInsert += " VALUES('" + username + "','" + id + "','" + firstname + "','" + Iage + "','" + prefix + "','" + telephone + "')";


I tested this and it does insert a record into the DB.
 
Share this answer
 
Posted
Updated 24-Feb-22 10:19am
v4
Comments
ori samarel 24-Feb-22 17:00pm    
It's not working for me
I beleive phone is varchar and should be enclosed in quotes like following:
sqlInsert = "INSERT INTO " + tableName;
sqlInsert += " VALUES ('" + username + "'," + id + ",'" + firstName + "'," + Iage + "," + prefix + ",'" + phone + "');";
I would also recommend use the store procedure to insert the data. You can learn how to use store procedure through following link:
Lesson 07: Using Stored Procedures - C# Station[^]
 
Share this answer
 
Posted
Updated 24-Feb-22 9:48am
v2
Comments
ori samarel 24-Feb-22 14:49pm    
It does not work yet, it displays the message "com.ExecuteNonQuery ();"

public static void DoQuery(string fileName, string sql)
{
SqlConnection conn = ConnectToDb(fileName);
conn.Open();
SqlCommand com = new SqlCommand(sql, conn);
com.ExecuteNonQuery();
conn.Close();
}
M Imran Ansari 24-Feb-22 15:49pm    
I have updated my answer. There should also be a space before VALUES. Please check now
ori samarel 24-Feb-22 15:53pm    
It still does not work, when I check the DB table there is no new data even after refresh
M Imran Ansari 24-Feb-22 16:16pm    
OK. What is you final query? Can you post your sqlInsert value?
ori samarel 24-Feb-22 16:50pm    
INSERT INTO usersTbL VALUES ('Maxim',258963417,'max',25,050,'9517427');
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Microsoft.data.sqlclient.sqlexception: 'incorrect syntax near '/'.'
Incorrect syntax near ', '.'
Incorrect syntax near the keyword 'inner'.
How do I remove the error for incorrect syntax near LIKE.
Incorrect syntax near 'LIMIT'.
Incorrect syntax near '-'.
Incorrect syntax near ','.
Incorrect syntax near '='.
Incorrect syntax near 'nvarchar'
Incorrect syntax near ')'

Advertise
Privacy
Cookies
Terms of Use
Last Updated 24 Feb 2022
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web02 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900