System.Data.OleDb.OleDbException: Syntax error in INSERT INTO statement

Question

    public void RegisterUser(string passw,string uname ,string fname ,string lname, string email)
{
    string strSql = @"INSERT INTO User (passw,uname,fname,lname,email) values ('" + passw + "','" + uname + "','" + fname + "','" + lname + "','" + email + "')";                                                           
    cn.Open();
    OleDbCommand cmd = new OleDbCommand(strSql,cn);
    int yy= cmd.ExecuteNonQuery();
    cn.Close();
    cn.Dispose();

}

no matter what i do i get the same error does anyone see here something wrong? or there is another creative way to solve this problem thanks

Answer 1

Your code here can change dynamically depending on the user input. And that is what causing the error.

Let me explain if any of your input fields contain an apostroph [ ' ] the sql breaks and has now an unclosed quote.

Not only that it also exposes your code to SQL-Injection Attacks.

so i suggest you use parameters for passing value as parameters are treated differenty and are safe as well as prevent SQL-Injection.

    public void RegisterUser(string passw,string uname ,string fname ,string lname, string email)
{
    string strSql = @"INSERT INTO User (passw,uname,fname,lname,email) values     (@passw,@uname,@fname,@lname,@email)";                                                           
    cn.Open();
    OleDbCommand cmd = new OleDbCommand(strSql,cn);
    cmd.Parameters.AddWithValue("@passw",passw);
    cmd.Parameters.AddWithValue("@uname",uname);
    cmd.Parameters.AddWithValue("@fname",fname);
    cmd.Parameters.AddWithValue("@lname",lname);
    cmd.Parameters.AddWithValue("@email",email);
    int yy= cmd.ExecuteNonQuery();
    cn.Close();
    cn.Dispose();
}

Answer 2

In Oracle, user is a reserved word and INSERT INTO User ... generates ORA-00903: invalid table name.