incorrect syntax error near ',' - Please Fix The Error?

Question:

vineeth v

2011-12-10 01:57:08 UTC

I want to insert values from Windows Form to The table "details"

the code i wriiten is :

SqlCommand cmd;
cmd = new SqlCommand("insert into clients values (" + txtName.Text + ",'" + txtAddress.Text + "','" + txtCity.Text + "','" + txtState.Text + "','" + txtZip.Text + "',"+1+")",con);
long update;
update = cmd.ExecuteNonQuery();

It show error as "" incorrect syntax error near ',' ""

Six answers:

peteams

2011-12-10 03:23:21 UTC

Do not write code like that. Code like this is inefficient and opens you up to SQL injection attacks, both of which are bad things.

Instead look at how the example is done in the documentation linked below. That code is both more efficient (although longer to code if you do it long hand) but ultimately it is the correct professional way to approach the problem.

So your code would end up looking more like:

var cmd = new SqlCommand("insert into clients values (@name, @address, @city, @state, @zip, 1), con);

cmd.Parameters.Add("@name", SqlDbType.String);

cmd.Parameters["@name"] = txtName.Text;

:

update = cmd.ExecuteNonQuery();

If the user enters

");drop table clients

as their name using your approach you can lose the table, using the correct approach they end up with the text they enter as their name.

Gardner

2011-12-10 02:48:09 UTC

string qryString = string.Format("insert into clients values '{0}', '{1}', '{2}', '{3}', '{4}', 1", txtName.Text, txtAddress.Test, txtCity.Text, txtState.Text, txtZip.Text);

cmd = new SqlCommand(qryString, con);

long update;

update = cmd.ExecuteNonQuery();

OR

If you want to prevent against SQL injection attacks consider using parameterized SQL statements. It's a little more code but worth it. Example:

string qryString = "insert into clients values (@name, @addr, @city, @state, @zip, 1);

cmd = new SqlCommand(qryString, con);

cmd.parameters.add("@name", txtName.Text);

cmd.parameters.add("@addr", txtAddress.Text);

// repeat as needed. If this is part of a loop for inserting data then all of this should exist outside the

// loop as paramaters can only be added 1 time. When you have finished adding your parameters:

cmd.prepare();

// .prepare will pre compile your query, results in faster execution if running in a loop.

// IF you are looping then add the following inside your insert loop.

cmd.parameters("@name").Value = txtName.Text;

cmd.parameters("@addr").Value = txtAddress.Text;

// repeat for each paramater

cmd.ExecuteNonQuery();

Jeroonk

2011-12-10 02:07:02 UTC

If you are inserting literal text, or actually any value which is not NULL or a number, you must place it in single quotes in the SQL command.

You are doing this correctly for txtAdress, txtCity, txtState and txtZip, but forgot it around txtName.

Also, consider doing some sanitation on your input if you do not do that already. It is very easy for someone to exploit this for SQL injection if those txtX.Text values are indeed directly coming from the input fields without checks or at least the removal / escaping of dangerous characters.

mildrid

2016-10-24 08:49:13 UTC

string qryString = string.format("insert into customers values '{0}', '{a million}', '{2}', '{3}', '{4}', a million", txtName.text textile, txtAddress.try, txtCity.text textile, txtState.text textile, txtZip.text textile); cmd = new SqlCommand(qryString, con); long replace; replace = cmd.ExecuteNonQuery(); OR in case you opt to dodge against sq. injection assaults evaluate making use of parameterized sq. statements. it quite is a little greater code yet properly worth it. occasion: string qryString = "insert into customers values (@call, @addr, @city, @state, @zip, a million); cmd = new SqlCommand(qryString, con); cmd.parameters.upload("@call", txtName.text textile); cmd.parameters.upload("@addr", txtAddress.text textile); // repeat as mandatory. If it quite is an element of a loop for putting documents then all of this could exist outdoors the // loop as paramaters can purely be extra a million time. once you have finished including your parameters: cmd.prepare(); // .prepare will pre deliver at the same time your question, ends up in swifter execution if working in a loop. // while you're looping then upload here interior your insert loop. cmd.parameters("@call").fee = txtName.text textile; cmd.parameters("@addr").fee = txtAddress.text textile; // repeat for each paramater cmd.ExecuteNonQuery();

2011-12-10 02:04:15 UTC

FIX: You receive an "Incorrect syntax near ')'" error message when ...

support.microsoft.com/kb/894257Cached - Similar

You +1'd this publicly. Undo

2 Nov 2007 – Fixes a bug in SQL Server 2000 where you receive an "Incorrect syntax ... FIX: You receive an "Incorrect syntax near ')'" error message when you ..... For more assistance options, please visit the Help and Support Home Page. ...

Simon

2011-12-10 02:04:51 UTC

I would guess that you're missing single quotes either side of txtName.Text.

ⓘ

This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.

about - legalese