Reputation: 49
Insert statement weird error
I am calling a web service in azure and to populate a DB with the following method. I don't know whats wrong..
using (SqlConnection conn = new SqlConnection(cs))
{
using (SqlCommand command = conn.CreateCommand())
{
conn.Open();
string cmdText = String.Format("INSERT INTO UserFiles VALUES('" + obj.userRef.ToString() + "','name','name','name','name','name','name'");
command.CommandText = cmdText;
command.ExecuteNonQuery();
conn.Close();
}
}
This is the error msg:
System.Data.SqlClient.SqlException (0x80131904): Incorrect syntax near 'name'.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action
1 wrapCloseInAction)1 wrapCloseInAction)
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
at System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName, Boolean async, Int32 timeout)
at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(TaskCompletionSource`1 completion, String methodName, Boolean sendToPipe, Int32 timeout, Boolean asyncWrite)
at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()
at _4900ProjectDesktopInterface.Form1.uploadbutton_Click(Object sender, EventArgs e) in C:\Users\Ken\Documents\GitHub\MegaFileUploadConversionService\TestingTool\4900ProjectDesktopInterface\Form1.cs:line 152\r\nClientConnectionId:fb95122f-415b-484d-9438-903f0bf2aad0"
Upvotes: 1
Views: 2020
Answers (3)
Reputation: 98750
Your cmdText need one more ) at the end of;
using (SqlConnection conn = new SqlConnection(cs))
{
using (SqlCommand command = conn.CreateCommand())
{
conn.Open();
string cmdText = String.Format("INSERT INTO UserFiles VALUES(@userRef, @name1, @name2, @name3, @name4, @name5, @name6)");
command.Parameters.AddVithValue("@userRef", obj.userRef.ToString());
command.Parameters.AddVithValue("@name1", name);
command.Parameters.AddVithValue("@name2", name);
command.Parameters.AddVithValue("@name3", name);
command.Parameters.AddVithValue("@name4", name);
command.Parameters.AddVithValue("@name5", name);
command.Parameters.AddVithValue("@name6", name);
command.CommandText = cmdText;
command.ExecuteNonQuery();
conn.Close();
}
}
As I said in my comment, You should always use parameterized queries. Your code is open for an SQL Injection attakcs
Upvotes: 3
Reputation: 18759
it looks like you are not terminating the open bracket for values? and why are you using String.Format? and you can get rid of conn.close, since the using statement will implicitly do this.
using (SqlConnection conn = new SqlConnection(cs))
{
using (SqlCommand command = conn.CreateCommand())
{
conn.Open();
string cmdText = "INSERT INTO UserFiles VALUES('" + obj.userRef.ToString() + "','name','name','name','name','name','name')";
command.CommandText = cmdText;
command.ExecuteNonQuery();
}
}
Upvotes: 0
Reputation: 630
using (SqlConnection conn = new SqlConnection(cs))
{
using (SqlCommand command = conn.CreateCommand())
{
conn.Open();
string cmdText = String.Format("INSERT INTO UserFiles VALUES('" + obj.userRef.ToString() + "','name','name','name','name','name','name')");
command.CommandText = cmdText;
command.ExecuteNonQuery();
conn.Close();
}
}
you forget close right parentheses
Upvotes: 2
Related Questions
- What it wrong with my SQL insert statement C# ASP.NET
- error on inserting into table
- Visual C# SQL statement won't insert into database
- SQL Insert command throwing errors
- SQL insert query throws error
- SQL insert error on C#.Net
- C# simple code to write an INSERT query is giving an exception
- Weird Insert error
- Error message in INSERT Statement
- Error at inserting in sql