Search code examples
c#.netinsert-intooledbcommandoledbexception

OleDbException: Syntax error in INSERT INTO statement

I got OleDbException: Syntax error in INSERT INTO statement. I think that my INSERT INTO statement is good. Parameters have good data type so it's not problem. Does someone maybe know what's the problem?

        OleDbCommand command = new OleDbCommand();
        command.Connection = conn;
        command.CommandType = CommandType.Text;
        command.CommandText = String.Format("INSERT INTO Employees" +
            " (ID, Company, Last Name, First Name, E-mail Address, Job Title, Business Phone, Home Phone" +
            ", Mobile Phone, Fax NUmber, Address, City, State/Province, ZIP/Postal Code, Country/Region, Web Page, Notes)" +
            " Values ('{0}', '{1}','{2}','{3}','{4}','{5}'," +
            "'{6}','{7}','{8}','{9}','{10}','{11}','{12}','{13}','{14}','{15}','{16}')", iD,kompanija,prezime,ime,email,
           zvanje,busTelefon,telefon,mobTelefon,fax,adresa,grad,okrug,postanskiBroj,zemlja,web,beleska);               zvanje,busTelefon,telefon,mobTelefon,fax,adresa,grad,okrug,postanskiBroj,zemlja,web,beleska);

        conn.Open();
        command.ExecuteNonQuery();
        conn.Close();

Error message: enter image description here

UDATE SQL:

        OleDbCommand command = new OleDbCommand();
        command.Connection = conn;
        command.CommandType = CommandType.Text;
        string cmdText = String.Format(@"UPDATE TABLE Employees " +
                        "SET" +
                        " Company='" + kompanija + "'," +
                        " [Last Name]='" + prezime + "'," +
                        " [First Name]='" + ime + "'," +
                        " [E-mail Address]='" + email + "' ," +
                        " [Job Title]='" + zvanje +"'," +
                        " [Business Phone]='" + busTelefon + "'," +
                        " [Home Phone]='" + telefon + "'," +
                        " [Mobile Phone]='" + mobTelefon + "'," +
                        " [Fax Number]='" + fax + "'," +
                        " Address='" + adresa + "'," +
                        " City='" + grad + "'," +
                        " [State/Province]='" + okrug + "'," +
                        " [ZIP/Postal Code]='" + postanskiBroj + "'," +
                        " [Country/Region]='" + zemlja + "'," +
                        " [Web Page]='" + web + "'," +
                        " Notes='" + beleska + "' WHERE ID="+iD);
        command.CommandText = cmdText;

        conn.Open();
        command.ExecuteNonQuery();
        conn.Close();

And this SQL don't work. The same error like previous.

Solution

  • When your fields names contain a space or other misleadings characters like the / (division operator) you need them to be enclosed in square brackets

     string cmdText = @"INSERT INTO Employees
                  (ID, Company, [Last Name], [First Name], [E-mail Address],
                   .., [State/Province], ....) VALUES (....)";

    Also you are not using parameters in your query. String.Format is just another type of string concatenation that cannot protect you by invalid inputs (for example, try to use a single quote in your lastname value) and cannot save your code from Sql Injection vulnerability.

    You should always use parameterized queries

    string cmdText = @"INSERT INTO Employees ( your_field_list_comma_sep)
                  VALUES (@id, @company, @lastname, @firstname, 
                  ......)";

OleDbCommand cmd = new OleDbCommand(cmdText, conn);
cmd.Parameters.Add("@id", OleDbType.Integer).Value = iD;
cmd.Parameters.Add("@company", OleDbType.VarWChar).Value = kompanija;
cmd.Parameters.Add("@lastname", OleDbType.VarWChar).Value = prezime;
cmd.Parameters.Add("@firstname", OleDbType.VarWChar).Value = ime;
....
// add all the other parameters with their name and type
....
cmd.ExecuteNonQuery();