Syntex error of MS Access Database

Question

1.00/5 (1 vote)

See more:

C#

using System.Windows.Forms;
namespace Database_Access
{
    public class Connection
    {
        OleDbConnection oldb;
        OleDbCommand command;
        public Connection()
        {
            oldb = new OleDbConnection("Provider=Microsoft.ACE.OLEDB.12.0;Data Source=F:\\abc.mdb;");
            //command = oldb.CreateCommand();
        }
        public void insert_query(String user_id, String user_password)
        {
            try
            {
                oldb.Open();
                String sql = "INSERT INTO info(ID,Password) values(" + user_id + "," + user_password + ")";
                command = new OleDbCommand(sql, oldb);
              /*  command.CommandText = "INSERT INTO info(ID,Password) values('" + user_id + "','" + user_password + "')";
                command.CommandType = CommandType.Text;*/

                command.ExecuteNonQuery();
                MessageBox.Show("Insert Successfully");

            }
            catch (Exception ex)
            {
                MessageBox.Show(ex.Message);
            }
            finally
            {
                oldb.Close();
            }
        }
    }
}

When I run this code, it shows syntax error in insert into statement.
How do I solve this?

Posted 22-Dec-13 5:31am

Kawshik_itbd

Updated 22-Dec-13 6:51am

André Kraak

v3

Add a Solution

Comments

Mike Meinz 22-Dec-13 14:36pm

Use parameterized SQL commands to prevent SQL Injection Attacks.
See Giving SQL Injection the Respect it Deserves

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Ron Beyer · Answer 1 · 2013-12-22T05:35:00

Solution 1

The commented SQL is closer to what you want, although you should really avoid string concatenation in favor of using parameters, look up SQL injection attacks.

C#

String sql = "INSERT INTO info(ID,Password) values('" + user_id + "','" + user_password + "')";

Notice the ' in the command? They surround string values.

Also, make sure that you are using ID as your User ID in your table, a lot of people name the primary key ID which is usually an integer.

Posted 22-Dec-13 5:35am

Ron Beyer

Comments

Kawshik_itbd 22-Dec-13 11:58am

it always show syntex error :(

Ron Beyer 22-Dec-13 15:04pm

Did you try copy/pasting the query into Access QueryBuilder to see what error it gives there? It may be more descriptive. You also may have to surround your table/column names in square brackets, like:

"INSERT INTO [info] ([ID], [Password]) values ('" + user_id + "','" + user_password + "')"