Using MSSQL CE in C# getting error, and can't figure our why,

Question

I have a problem with inserting into a MSSQL CE database,

locCon.Open();

SqlCeCommand locCmd = locCon.CreateCommand();
locCmd.CommandText = "INSERT INTO user (ID,FName,LName,Email) VALUES('"+this.id+"','"+this.fName+"', '"+this.lName+"','"+this.email+"')";
locCmd.ExecuteNonQuery();

When running this I get

There was an error parsing the query. [Token line number = 1, Token line offset = 13, Token in error = user]

Now i cant see anything wrong with the query although this is the firsr time ive used MS SQL of examples ive seen the syntax for mysql and msssql are identical well for inserts anyway. Is there soemthing obviously wrong with this?

Thanks

Answer 1

You may have to put brackets around the user part like so:

INSERT INTO [user]

this is because user can be a reserved word. putting [] around reserved words in SQL allows them to be used as field and table names.

One other major point is that you are constructing your query from some text inputs. This exposes you to SQL injection attacks. To avoid this I would highly recommend that you use Sql Parameters instead which help to prevent this. See this link:

http://msdn.microsoft.com/en-us/library/ff648339.aspx

Answer 2

I think "user" is a reserved word in the database. Try replacing this:

INSERT INTO user (ID,FName,LName,Email) VALUES (

with this:

INSERT INTO [user] (ID,FName,LName,Email) VALUES (

(I think it' square brackets for MSSQL CE, since it is for other MSSQL engines.)

The square brackets basically tell the query engine, "This is an identifier for an object in the database." They're commonly used to wrap the names of database objects which contain spaces, since those otherwise wouldn't parse correctly. But it's also useful for objects which are reserved words.