Click here to Skip to main content
15,891,529 members
Search within:


I'm having a incorrect syntax near error please help - here is my code
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
Windows
form
private void button2_Click(object sender, EventArgs e)
{
con.Open();
cmd = new SqlCommand("insert into record values('"+textBox1.Text+"','"+textBox2.Text+"'" +
",'"+textBox3.Text+"','"+sun.Text+","+sun1.Text+"','" + mon.Text + "," +
mon1.Text + "'," + ",'" + tue.Text + "," + tue1.Text + "','" + wed.Text + "," +
wed1.Text +"','" + thur.Text + "," + thur1.Text + "'," +
"'" + fri.Text + "," + fri1.Text + "','" + sat.Text + "," + sat1.Text +
"')",con);
cmd.ExecuteNonQuery();
MessageBox.Show("Data is save now in Database");
}

What I have tried:

I don't have any idea what to do.
Posted
Updated 16-Apr-20 13:15pm
Add a Solution

2 solutions

Your code is a giant example of a SQL Injection Vulnerability
NEVER EVER create an SQL command by concatenating a bunch of commands and user input.

The correct way to add values into a query is going to be by using the SQL Parameter Collection. This will properly escape any funky characters going on and will also add it in as to whatever data-types you have in your NET project... so you wont need to worry about added single quotes in for text etc.
A few minute rewrite of your source code gave me something like this
SQL
private void button2_Click(object sender, EventArgs e)
{
  con.Open();

  string qry = "INSERT INTO record VALUES (@t1, @t2, @t3, @Sn, @Sn1, @Mn, @Mn1, @Tu, @Tu1, @Wd, @Wd1, @Th, @Th1, @Fr, @Fr1, @St, @St1)";

  cmd = new SqlCommand(qry, con);
  cmd.Parameters.AddWithValue("@t1",  textBox1.Text);
  cmd.Parameters.AddWithValue("@t2",  textBox2.Text);
  cmd.Parameters.AddWithValue("@t3",  textBox3.Text);
  cmd.Parameters.AddWithValue("@Sn",  sun.Text);
  cmd.Parameters.AddWithValue("@Sn1", sun1.Text);
  cmd.Parameters.AddWithValue("@Mn",  mon.Text);
  cmd.Parameters.AddWithValue("@Mn1", mon1.Text);
  cmd.Parameters.AddWithValue("@Tu",  tue.Text);
  cmd.Parameters.AddWithValue("@Tu1", tue1.Text);
  cmd.Parameters.AddWithValue("@Wd",  wed.Text);
  cmd.Parameters.AddWithValue("@Wd1", wed1.Text);
  cmd.Parameters.AddWithValue("@Th",  thur.Text);
  cmd.Parameters.AddWithValue("@Th1", thur1.Text);
  cmd.Parameters.AddWithValue("@Fr",  fri.Text);
  cmd.Parameters.AddWithValue("@Fr1", fri.Text);
  cmd.Parameters.AddWithValue("@St",  sat.Text);
  cmd.Parameters.AddWithValue("@St1", sat1.Text);

  cmd.ExecuteNonQuery();
  MessageBox.Show("Data is save now in Database");
}
And low and behold, I do see the syntax error you got most likely was due to the confusion of single & double quotes codgered together
SQL
insert into record values (
  '" + textBox1.Text +"'
, '" + textBox2.Text +"'" + "
, '" + textBox3.Text +"'
, '" + sun.Text      +"
, "  + sun1.Text     +"'
Now that we got rid of the vulnerability which also fixes your syntax error; I do see a few problems that I see in your code.

You open the SQL Connection in the routine, but do not close this. This can actually fail if the connection is already open.

Likewise, you define an existing SQL command and execute it. Generally this should be created and destroyed within the routine.

Your message box appears if no exceptions are thrown, which may be fine in this case; but if it was a claused-update statement it would still work even if no rows were updated.
Generally I would wrap this within an IF...ELSE block to give a little better feedback.
C#
int ra = cmd.ExecuteNonQuery(); // ra = Rows Affected
if (ra == 1) {
  MessageBox.Show("Data is save now in Database");
} else {
  MessageBox.Show("There was a problem saving your data.");
}


Reference:
SqlParameterCollection.AddWithValue(String, Object) Method (System.Data.SqlClient) | Microsoft Docs[^]
 
Share this answer
 
Posted
Updated 16-Apr-20 13:33pm
v2
Quote:
I'm having a incorrect syntax near error

First of all post the exact error message.
Because of the way you build the query, we have no way to know what can be wrong because it depend on user input.
C#
cmd = new SqlCommand("insert into record values('"+textBox1.Text+"','"+textBox2.Text+"'" +
",'"+textBox3.Text+"','"+sun.Text+","+sun1.Text+"','" + mon.Text + "," +
mon1.Text + "'," + ",'" + tue.Text + "," + tue1.Text + "','" + wed.Text + "," +
wed1.Text +"','" + thur.Text + "," + thur1.Text + "'," +
"'" + fri.Text + "," + fri1.Text + "','" + sat.Text + "," + sat1.Text +
"')",con);

Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
How can I explain SQL injection without technical jargon? - Information Security Stack Exchange[^]
 
Share this answer
 
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Microsoft.data.sqlclient.sqlexception: 'incorrect syntax near '/'.'
Incorrect syntax near ', '.'
Incorrect syntax near 'an'
Incorrect syntax near the keyword 'inner'.
Search the stidents from the inner join script "'incorrect syntax near the keyword 'where'.'
Incorrect syntax near '('.
Incorrect syntax near ' '
Incorrect syntax near '='
Incorrect Syntax Near ....
Plss help incorrect syntax near '

Advertise
Privacy
Cookies
Terms of Use
Last Updated 16 Apr 2020
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web03 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900