CODEWITHSUNDEEP
c#visual-studio-2010
Alan
Alan

Reputation: 1

visual studio C# connect textbox to database

I have written this simple code in c# VS 2010 to store the name and login to my local table. When i run it is shows me this massage:

"incorrect syntax near the nvarchar" 

using System;
{
    public partial class Form1 : Form
    {
        public Form1()
        {
            InitializeComponent();
        }

        private void Form1_Load(object sender, EventArgs e)
        {

        }

        private void button1_Click(object sender, EventArgs e)
        {
            string name =textBox1.Text;
            string login =textBox2 .Text;
            string sqlquery;
            SqlConnection cn = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDbFilename= C:\\Users\\Safeen\\Documents\\Visual Studio 2010\\Projects\\WindowsFormsApplication12\\WindowsFormsApplication12\\Database1.mdf;Integrated Security=True;User Instance=True");
            cn.Open();
            sqlquery = "INSERT INTO Table1 (user, password) VALUES ('" + name + "','" + login + "')";

        try
        {
            SqlCommand command = new SqlCommand(sqlquery, cn);
            command.Parameters.AddWithValue("@user ", textBox1.Text);
            command.Parameters.AddWithValue("@password ", textBox2.Text);
            command.ExecuteNonQuery();
            MessageBox.Show("Table1 Added");
        }
        catch (Exception ex)
        {
            MessageBox.Show(ex.Message);
        }

        textBox1.Clear();
        textBox2.Clear();
        cn.Close();
        }
    }

Upvotes: 0

Views: 995

Answers (1)

user4650451
user4650451

Reputation:

You're providing multiple values for your parameters.

You're saying the db value of user = name and password = login, then ALSO passing in two parameters called @user and @password, without telling SQL which set is correct.

You definitely want to go with SqlCommand option and also set the SqlCommand.CommandType to the correct value. Assigning parameters like this is safe; dropping variables directly into the VALUES() clause (like you had in your original post) can open yourself to SQL Injection attacks.

I edited out a recommendation to use Stored Procs here. That's more of a personal preference I have, as per the little discussion in the comments; I like to separate out my database layer. Also, it means that if anything ever changes you just have to update your Stored Proc once instead of finding your query everywhere it could be in your app.

Upvotes: 1

Related Questions