i got this error how to resolve this

Question

0.00/5 (No votes)

See more:

SQL-server-2000

, +

Dear ALl,

Unclosed quotation mark after the character string ')'. Incorrect syntax near ')'.

C#

SqlCommand cmd = new SqlCommand("INSERT INTO lta_declaration VALUES ('" + txtLTA_Destination_To.Text + "','"

                + ddl_Transport.Text + "','"
                + txtDT_From.Text + "','"
                + txtDT_To.Text + "','"
                + txtTravel_Sno_1.Text + "','"
                + txtTravel_Name_1.Text + "','"
                + ddl_Travel_Relationship_1.Text + "','"
                + txtTravel_Age_1.Text + "','"
                + txtTravel_TicketNo_1.Text + "','"
                + txtTravel_Total_Bill_Amount.Text + "',"
                + txtTravel_Amount_Restricted_1.Text +"')", con);

Posted 10-May-12 5:45am

2011999

Updated 10-May-12 6:12am

Wendelius

v2

Add a Solution

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Leonardo Paneque · Accepted Answer · 2012-05-10T05:53:00

Solution 1

Your line txtTravel_Total_Bill_Amount.Text + "'," need a second ',
so it would be txtTravel_Total_Bill_Amount.Text + "','"

Might I recommend skipping concatenating string for sql? Because is VERY unsecure. Instead try to use parameters :)

Posted 10-May-12 5:53am

Leonardo Paneque

Comments

Wendelius 10-May-12 16:50pm

Good catch, 5!

Sergey Alexandrovich Kryukov 10-May-12 16:52pm

It would be useful if not just one thing: the whole thing with string concatenation should never be done at all, especially for composing ADO.NET commands. Never.
Please see my answer where I explain it.
--SA

[no name] 10-May-12 16:56pm

I agree with you, but the answer was about to find the error on the string. :) but yes, he should NOT be using strings for that..

Monjurul Habib 11-May-12 1:22am

5!

Wendelius · Accepted Answer · 2012-05-10T06:18:00

Solution 2

Few additional notes.

Never concatenate values to a SQL statement. The proper way to keep you secure from SQL injections, type conversion errors and so on is to use SqlParameter[^].

Another thing, while the statement is correct, if you specify values for all the columns in correct order, it's advisable to always define the target columns. This prevents from errors if more columns are added, the order of the columns is different etc. So your statement should look something like:

SQL

INSERT INTO TableName
   ( Col1, Col2, Col3, ... )
VALUES 
   ( @Value1, @Value2, @Value3 ...)

Posted 10-May-12 6:18am

Wendelius

Comments

Sergey Alexandrovich Kryukov 10-May-12 16:41pm

Very good, a 5.
I credited this post in my answer -- please see.
I explained important problem of OP's code -- SLQ Injection and added useful references.
--SA

Maciej Los 10-May-12 16:47pm

+5

Wendelius 10-May-12 16:50pm

Thanks :)

Monjurul Habib 11-May-12 1:22am

5!

Wendelius 11-May-12 1:30am

Thanks Monjurul :)

Sergey Alexandrovich Kryukov · Accepted Answer · 2012-05-10T10:39:00

One problem of your code is string concatenation. Repeated concatenation is a bad operation, because strings are immutable, so it's a performance problem. Should I explain why? The class System.Text.StringBuilder and the method String.Format are free from this problem.

But much bigger problem is the purpose of your concatenation. This is really a fatal mistake, from the security standpoint. The problem is: you compose a command using the strings taken from the UI, from the user input. But the user can input anything, including some SQL fragments (no, filtering them out is not serious). This opens wide doors to the well-known exploit called SQL injection. Never do it. Please read about this exploit and pay special attention for the importance of parameterized statements:
http://en.wikipedia.org/wiki/SQL_injection[^].

You need to use SQL command parameters the way Mika Wendelius demonstrated in his Solution 2. Please read about using command parameters in ADO.NET:
http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx[^].

—SA