How to solve this error ?

Question

0.00/5 (No votes)

See more:

C#

con.Open();
          string query = "insert into staff_doc values (" + textBox1.Text + " , '" + textBox2.Text + "' , '" + textBox3.Text + "' , '" + textBox4.Text + "' , '" + comboBox1.Text + "' , '" + comboBox2.Text + "' , '" + comboBox3.Text + "' , '" + textBox5.Text + "' , '" + textBox6.Text + "' , '" + textBox7.Text + "' , '" + textBox8.Text + "' , '" + textBox9.Text + "')";
          cmd = new SqlCommand(query, con);
          cmd.ExecuteNonQuery();
          MessageBox.Show("Data Added");
          clear();
          cmd.Dispose();
          con.Close();

      }
      public void clear()
      {
          textBox1.Text = "";
          textBox2.Text = "";
          textBox3.Text = "";
          textBox4.Text = "";
          textBox5.Text = "";
          textBox6.Text = "";
          textBox7.Text = "";
          textBox8.Text = "";
          textBox9.Text = "";

      }

while submitting

JavaScript

Incorrect syntax near ','.

What I have tried:

I tried at my knowledge level but i cant rectified it.

Posted 26-Aug-16 20:13pm

GKRISH04

Updated 28-Aug-16 0:55am

Add a Solution

Comments

Member 12245539 27-Aug-16 6:12am

Send your SQL_Table querry of all columns...

Richard MacCutchan 28-Aug-16 8:04am

It's still not possible to know what is wrong. And you are never going to fix this unless you use SQL correctly, by using SQL parameters and not concatenated strings.

4 solutions

Solution 2

It is not possible to tell why you get this error because you didn't gave the database structure and the values of the textboxes/comboboxes.

By building the request the way you do, the validity depend on the value of the textboxes/comboboxes. if one contain a ', it is enough to ensure an error and it can be worst if the value is crafted for an injection.
SQL Injection[^]

It is always recommended to use parameters as described by Karthik.

Posted 26-Aug-16 23:35pm

Patrice T

Solution 3

if you encounter that error message, some variables is empty. Empty variables is cause to come side by side commas. You have to use the SqlCommand Parameters. Either you should before check correct value in variables.

Posted 27-Aug-16 10:45am

Halit Yurttaş

Solution 4

this error appeared when you add string value for integer field in database table.

for example:

create table emp
(
integer emp_id primary key,
varchar2(30) ename
);

when you try to add values from textboxes to your database table do below:

str query = "insert into emp values("+textbox1.text",'"+textbox2.text"')";

invalid insertion as below

str query = "insert into emp values('"+textbox1.text"','"+textbox2.text"')";

Posted 28-Aug-16 0:55am

Member 12705626

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Karthik_Mahalingam · Accepted Answer · 2016-08-26T20:31:00

Always use SQLParameters to pass values to the sql statement, dont concatenate the strings. It will lead to SQL Injection[^]

C#

con.Open();
          string query = "insert into staff_doc values (@value1,@value2,@value3,@value4,@value5,@value6,@value7,@value8,@value9,@value10,@value11,@value12)";
          cmd = new SqlCommand(query, con);
          cmd.Parameters.Add("@value1", textBox1.Text);
          cmd.Parameters.Add("@value2", textBox2.Text);
          cmd.Parameters.Add("@value3", textBox3.Text);
          cmd.Parameters.Add("@value4", textBox4.Text);
          cmd.Parameters.Add("@value5", comboBox1.Text);
          cmd.Parameters.Add("@value6", comboBox2.Text);
          cmd.Parameters.Add("@value7", comboBox3.Text);
          cmd.Parameters.Add("@value8", textBox5.Text);
          cmd.Parameters.Add("@value9", textBox6.Text);
          cmd.Parameters.Add("@value10", textBox7.Text);
          cmd.Parameters.Add("@value11", textBox8.Text);
          cmd.Parameters.Add("@value12", textBox9.Text);