CODEWITHSUNDEEP
c#databasems-accessinsertsyntax-error
Taha Kirmani
Taha Kirmani

Reputation: 101

Syntax error in INSERT INTO statement

I am writing the following code in my C-Sharp Form Application and its giving me the following error. 

> Syntax error in INSERT INTO statement.


OleDbCommand cmd =
    new OleDbCommand(
            "Insert into Info (username, password) Values ('"
          + username
          + "', '" 
          + password 
          + "')"
        , conn
    );

Upvotes: 1

Views: 228

Answers (3)

Steve
Steve

Reputation: 216263

The word PASSWORD is a reserved keyword. To use it you should enclose the string in square brackets

OleDbCommand cmd = new OleDbCommand("Insert into Info (username, [password]) Values ('" + username + "', '" + password + "')", conn);

And please, please, do not use string concatenation to build sql statements. It is a very bad practice that leads to other syntax errors (username or password with single quotes) or worst to a sql injection Attacks. Take a look here to what could happen if you have a smart and malicious user

OleDbCommand cmd = new OleDbCommand("Insert into Info (username, [password]) Values (?,?)", conn);
cmd.Parameters.AddWithValue("@p1", username);
cmd.Parameters.AddWithValue("@p2", password);
cmd.ExecuteNonQuery();

Upvotes: 3

David Hoerster
David Hoerster

Reputation: 28701

You need to bracket off password. It's a reserved word.

OleDbCommand cmd = 
    new OleDbCommand("Insert into Info (username, [password]) Values ('" + username + "', '" + password + "')", conn);

Upvotes: 2

Hebron George
Hebron George

Reputation: 349

Maybe there's an illegal character (such as a single quote) within the username or password variables. Make sure they're sanitized.

Upvotes: 1

Related Questions