How Do I Fix The Error "Incorrect Syntax Near ')'."

Question

4.50/5 (2 votes)

See more:

Hello Team,

I am getting error "Incorrect syntax near ')'.".How to fix the issue.

VB

string insertQuery = string.Format(
                   "Insert into CUSTOMERLOANDATA(Firstname,MiddleName,LastName,FullAddress,MobileNo1,EmailID,DOB,Loan1IntrRate,Loan1Amt,Loan2IntrRate,Loan2Amt,DateOfEMI,ReleaseDate,HouseType,Salary,CustomerLoanOCRId,CustomerAddr1,CustomerAddr2,Landmark,State,City,Pincode) values('{0}','{1}','{2}','{3}',{4},'{5}',{6},{7},{8},{9},{10},{11},{12},'{13}',{14},{15},'{16}','{17}','{18}','{19}','{20}',{21})",
                                                     customerLoanRecord.FirstName, ////0
                                                    customerLoanRecord.MiddleName, ////1
                                                    customerLoanRecord.LastName, ////2
                                                    customerLoanRecord.FullAddress, ////3
                                                    customerLoanRecord.MobileNo1, ////4
                                                   customerLoanRecord.EmailID, ////5
                                                   (customerLoanRecord.DOB.HasValue ? "'" + customerLoanRecord.DOB.Value.ObjectToDBDateTime() + "'" : "null"), ////6
                                                   customerLoanRecord.Loan1IntrRate, ////7
                                                   customerLoanRecord.Loan1Amt, ////8
                                                   customerLoanRecord.Loan2IntrRate, ////9
                                                   customerLoanRecord.Loan2Amt, ////10
                                                   (customerLoanRecord.DateOfEMI.HasValue ? "'" + customerLoanRecord.DateOfEMI.Value.ObjectToDBDateTime() + "'" : "null"), ////11
                                                   (customerLoanRecord.ReleaseDate.HasValue ? "'" + customerLoanRecord.ReleaseDate.Value.ObjectToDBDateTime() + "'" : "null"), ////12
                                                   customerLoanRecord.HouseType, ////13
                                                   customerLoanRecord.Salary, ////14
                                                   customerLoanRecord.CustomerLoanOCRId, ////15
                                                   customerLoanRecord.CustomerAddr1, ////16
                                                   customerLoanRecord.CustomerAddr2, ////17
                                                    customerLoanRecord.Landmark, ////18
                                                    customerLoanRecord.State, ////19
                                                    customerLoanRecord.City, ////20
                                                    customerLoanRecord.Pincode);

Thanks Harshal Raut

Posted 27-Jan-14 3:29am

R Harshal

Add a Solution

4 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Karthik_Mahalingam · Answer 1 · 2014-01-27T03:37:00

Solution 1

Hi Pls dont use Formatted SQL Statements as it is risk of SQL Injection [^],,use SQL Parameterised c#[^]

sample:

C#

string qry = "INSERT INTO TableName (Column1,Column2,Column3) VALUES( @Column1,@Column2,@Column3)";

           SqlCommand cmd = new SqlCommand(qry, con);
           cmd.Parameters.AddWithValue("@Column1",  value1);
           cmd.Parameters.AddWithValue("@Column1",  value2);
           cmd.Parameters.AddWithValue("@Column1",  value3);

Posted 27-Jan-14 3:37am

Karthik_Mahalingam

Comments

R Harshal 27-Jan-14 9:43am

ok friend but in my company the requirement is to be like this which i wrote.So kindly will you able to help me in this situation.(formatted SQL Statement).Please

Karthik_Mahalingam 27-Jan-14 9:45am

but it is not safe as it leads to sql injection attack...

Rahul VB 27-Jan-14 12:38pm

Hey Karthik can you please elaborate the term "Sql Injection attack"?
Thanks a ton

Karthik_Mahalingam 27-Jan-14 20:14pm

hi Rahul
check this links
http://ha.ckers.org/sqlinjection/

PIEBALDconsult 27-Jan-14 12:21pm

This is your chance to improve things at your company. Parameterized commands are all kinds of better than what you show.

Have a look at this beauty: http://www.codeproject.com/Feature/WeirdAndWonderful.aspx/trackback/?msg=4473385

Karthik_Mahalingam 28-Jan-14 21:29pm

good

Dave Kreskowiak 28-Jan-14 11:42am

OK, so what your "company" is doing is exposing itself to great risk with customer data.

It's also costing more because you're running into debugging problems you apparently cant solve.

The really BIG problem with what you're doing is what if someone types a ' or ( or ) characters in one of those textboxes?? Oops, you just broken your SQL statement, or worse. Is your code written to handle situations where executing the SQL fails?? Probably not.

R Harshal 27-Jan-14 9:47am

yes it is in string.format
please check it

R Harshal 27-Jan-14 10:20am

i got the solution .
passing empty in pincode textbox is creating the error.
if we pass pincode it is working.
Thanks Buddy

Karthik_Mahalingam 27-Jan-14 10:36am

cool :)

Ron Beyer · Answer 2 · 2014-01-27T03:38:00

Solution 2

By using SQL Parameters.

http://www.dotnetperls.com/sqlparameter[^]

Your way is slightly better than string concatenation, but still highly exposed to SQL injection attacks. Using parameterized queries expecially with something this big will really help you form your SQL properly and give errors that you can understand.

Posted 27-Jan-14 3:38am

Ron Beyer

Comments

R Harshal 27-Jan-14 10:20am

i got the solution .
passing empty in pincode textbox is creating the error.
if we pass pincode it is working.
Thanks Buddy

Sampath Lokuge · Answer 3 · 2014-01-27T03:40:00

Solution 3

The best solution which I can say to you is, Remove all the code and start it again from A. And add your query line by line and the same time run and check whether is there any errors or not. In that way you can easily find the missing or additional bracket there.
There is no short cut for find the missing bracket on this query.B'cos its string value.

Good Luck :)

Posted 27-Jan-14 3:40am

Sampath Lokuge

Comments

R Harshal 27-Jan-14 10:20am

i got the solution .
passing empty in pincode textbox is creating the error.
if we pass pincode it is working.
Thanks Buddy

Sampath Lokuge 27-Jan-14 10:24am

Congratulation ! :)

Sampath Lokuge 27-Jan-14 10:28am

For avoid it'll happen in future, you have to validate either on client side or sever side or may be both.Do that also.

R Harshal 27-Jan-14 10:41am

Thanks Sir..

PIEBALDconsult · Answer 4 · 2014-01-27T03:42:00

Solution 4

The solution, in this case, would be to use a parameterized statement rather than trying to use concatenation to create statement that could be problematic.

And don't store dates as strings.

And I hope you are hashing the pincode.

Posted 27-Jan-14 3:42am

PIEBALDconsult

Comments

R Harshal 27-Jan-14 9:55am

if pincode textbox is empty.you mean to say should i do like this for pincode.
'{21}'

PIEBALDconsult 27-Jan-14 9:58am

No, I mean to store a hash of the value, not the actual value.

R Harshal 27-Jan-14 10:05am

can you able to write some part ,so that i will get a idea..

R Harshal 27-Jan-14 10:05am

Please Buddy...

R Harshal 27-Jan-14 10:20am

i got the solution .
passing empty in pincode textbox is creating the error.
if we pass pincode it is working.
Thanks Buddy

PIEBALDconsult 27-Jan-14 11:39am

Using a parameterized command will fix that.