what is syntax error

Question

0.00/5 (No votes)

See more:

what is syntax error in Insert into statement this line

C#

string cb = "insert into Sales1 ([InvoiceNo],[InvoiceDate],[SubTotal],[VATPercentage],[VATAmount],[GrandTotal],[TotalPayment],[PaymentDue]) VALUES ('" + txtInvoiceNo.Text + "'," + dtpInvoiceDate.Text + "," + txtSubTotal.Text + "," + txtTaxPer.Text + "," + txtTaxAmt.Text + "," + txtTotal.Text + "," + txtTotalPayment.Text + ",'" + txtPaymentDue.Text + "')";

Posted 7-Nov-14 23:51pm

raajaakhan

Updated 8-Nov-14 1:05am

DamithSL

v2

Add a Solution

Comments

Tomas Takac 8-Nov-14 5:59am

are you using SQL Server? I guess invoice date in not in quotes? You need to pass dates the same way you are passing strings.

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Manas Bhardwaj · Answer 1 · 2014-11-08T00:05:00

Solution 1

Do you know that this implementation is susceptible of SQL Injection[^]?

I would suggest you to rather use Stored Procedure[^] or Parameterized Queries[^] in SQL.

Posted 8-Nov-14 0:05am

Manas Bhardwaj

Comments

[no name] 8-Nov-14 7:49am

Good hint but not OP's Problem at the Moment. Anyway a 5.

Manas Bhardwaj 8-Nov-14 7:52am

thx Bruno :)

OriginalGriff · Answer 2 · 2014-11-08T00:09:00

The "syntax error" is trivial, compared to the other problems this has.

Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

Doing that will very likely start to remove the syntax error - but it may leave some others you need to look at as well.
Starting with your dates...
1) Make sure you don't store them as NVARCHAR values: use DATETIME or you will have massive problems in future.
2) Don't pass them through as strings, even as parameters: that leaves the way open for SQL to misinterpret the date format and either throw an exception or worse, insert teh wrong data in your DB. You C# code has access to the user setting for Culture and thus can work out exactly what date he expects: SQL doesn't, and can't. Check and convert your dates to DateTime values in your C# and pass that through to SQL as a parameter.