Insert data into SQL, getting an error I don't understand why! ?

Question

0.00/5 (No votes)

See more:

VS2015

I'm a new coder, working with inserting a first and last name into a DB table. I thought I had this pretty well thought out, however I'm getting the following error.

C#

An unhandled exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll

Additional information: Incorrect syntax near 'Cooper'.

Here is my Code block handling the INSERT statement.

VB.NET

    If (myConn.State = ConnectionState.Closed) Then myConn.Open()
    Dim myNewEntry As New SqlCommand(("INSERT INTO SCOUTINFO (FIRSTNAME, LASTNAME)
                           values('" & txtFirstName.Text & "'), ('" & txtLastName.Text & "'"), myConn)
    myNewEntry.ExecuteNonQuery()
End If

What I have tried:

I've tried different formats of the INSERT, and tried to understand if there's some better method to do an insert. I've seen DATASET stuff, but don't understand it, and since Im new, I'm trying what seems the most direct path.

Posted 22-Jun-16 15:13pm

Depotdad80

Updated 22-Jun-16 18:37pm

Add a Solution

Comments

Depotdad80 22-Jun-16 21:14pm

By the way, the error is occurring at the LASTNAME portion. I removed it, just trying the FIRSTNAME, but got the same error. So Im not quite sre what is breaking the statement.

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

casper_mystic@yahoo.com · Answer 1 · 2016-06-22T16:04:00

Your error is here:

VB

Dim myNewEntry As New SqlCommand(("INSERT INTO SCOUTINFO (FIRSTNAME, LASTNAME)
                           values('" & txtFirstName.Text & "'), ('" & txtLastName.Text & "'"), myConn)

My fix:

VB

Dim myNewEntry As New SqlCommand(("INSERT INTO SCOUTINFO (FIRSTNAME, LASTNAME)
                           values('" & txtFirstName.Text & "', '" & txtLastName.Text & "')"), myConn)

Karthik_Mahalingam · Answer 2 · 2016-06-22T18:37:00

Solution 2

the syntax error and the fix is availble in solution1 by casper

but you code is vulnerable to SQL Injection[^] attacks.

always use Parameterized queries to prevent SQL Injection Attacks [^]

VB.NET

Dim myNewEntry As New SqlCommand("INSERT INTO SCOUTINFO (FIRSTNAME, LASTNAME) values(@first,@last)")
     myNewEntry.Parameters.Add("@first", txtFirstName.Text)
     myNewEntry.Parameters.Add("@first", txtLastName.Text)
     myNewEntry.ExecuteNonQuery()

Posted 22-Jun-16 18:37pm

Karthik_Mahalingam

Comments

Depotdad80 23-Jun-16 9:23am

Thank you very much! I just had a programmer in my office point out that exact thing this morning. Looks like I have much more reading to do, so that I understand the Parameters command.

Karthik_Mahalingam 23-Jun-16 9:25am

cool,
if your issue is resolved, please close this post by marking it as answer.