C# SQL insert query syntax error with MS Access
Clash Royale CLAN TAG#URR8PPP
C# SQL insert query syntax error with MS Access
I am trying to perform an insert query in C# but it keeps telling me syntax error in insert into statement.
Here is my query:
Checks.SQL.Insert(mydb, "SELECT * FROM Employee", "INSERT INTO Employee(First_Name,Last_Name,Email,CellPhone_Number,TypeOfUser,Username,Password) VALUES('" + txtFirstName.Text + "','" + txtLastName.Text + "','" + txtEmail.Text + " ', '" + txtCellphone.Text + "'," + typeId + ",'"+Encrypcion.encrypt(txtUsername.Text)+"','"+Encrypcion.encrypt(txtPassword.Text)+"' )");
Here is my checks insert function
public static void Insert(OleDbConnection mydb, string SelectQuery, string InsertQuery)
mydb.Open();
OleDbDataAdapter query2 = new OleDbDataAdapter(SelectQuery, mydb);
OleDbCommand cmd = new OleDbCommand(InsertQuery, mydb);
query2.InsertCommand = cmd;
query2.InsertCommand.ExecuteNonQuery();
mydb.Close();
Here is a picture of my InsertQuery with input data as example:
InsertQuery
enter image description here
See a picture of my table info:
What is
Checks.SQL.Insert function doing and also I would maybe try storing your Insert SQL statement into a string and printing that to provide to us. It may be easier to spot your error this way.– Dan Scott
Aug 10 at 11:51
Checks.SQL.Insert
Say hi to Bobby Tables. Now in a more serious manner, your problem could be caused because you are doing a insert in a way you should not be doing, your code is vulnerable to SQL Injection and could cause SQL errors depending on the user input. Do note that with parametrized queries is easier to write SQL and you get a more clean SQL to review in case something fails.
– bradbury9
Aug 10 at 11:52
"I have done may validations to ensure fair input within the code" - it would have been quicker and easier and safer to parameterize... but: the first thing to do here is to find out what the actual string is, once concatenated. When you have that, log it, and look at it to find the problem... note: you're actually add a space to the end of the email. But: proper parameters would simply fix this. Also: you shouldn't ever encrypt a password (unless you are writing a password manager); you should hash it (salted)
– Marc Gravell♦
Aug 10 at 12:03
Additional note: my friend D'Arcy O'Neal is sad that she can't use your app :(
– Marc Gravell♦
Aug 10 at 12:06
1 Answer
1
Password is a reserved word in Access, so:
"INSERT INTO Employee(First_Name,Last_Name,Email,CellPhone_Number,TypeOfUser,Username,[Password]) .."
You beauty thank you that fixed it :)
– Richard Teunen
Aug 10 at 12:24
Great! Then please mark as answered.
– Gustav
Aug 10 at 13:47
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
Possible duplicate of What are good ways to prevent SQL injection?
– mjwills
Aug 10 at 11:47