c#.netinsert-intooledbcommandoledbexception
OleDbException: Syntax error in INSERT INTO statement
I got OleDbException: Syntax error in INSERT INTO statement. I think that my INSERT INTO statement is good. Parameters have good data type so it's not problem. Does someone maybe know what's the problem?
OleDbCommand command = new OleDbCommand();
command.Connection = conn;
command.CommandType = CommandType.Text;
command.CommandText = String.Format("INSERT INTO Employees" +
" (ID, Company, Last Name, First Name, E-mail Address, Job Title, Business Phone, Home Phone" +
", Mobile Phone, Fax NUmber, Address, City, State/Province, ZIP/Postal Code, Country/Region, Web Page, Notes)" +
" Values ('{0}', '{1}','{2}','{3}','{4}','{5}'," +
"'{6}','{7}','{8}','{9}','{10}','{11}','{12}','{13}','{14}','{15}','{16}')", iD,kompanija,prezime,ime,email,
zvanje,busTelefon,telefon,mobTelefon,fax,adresa,grad,okrug,postanskiBroj,zemlja,web,beleska); zvanje,busTelefon,telefon,mobTelefon,fax,adresa,grad,okrug,postanskiBroj,zemlja,web,beleska);
conn.Open();
command.ExecuteNonQuery();
conn.Close();
Error message:
UDATE SQL:
OleDbCommand command = new OleDbCommand();
command.Connection = conn;
command.CommandType = CommandType.Text;
string cmdText = String.Format(@"UPDATE TABLE Employees " +
"SET" +
" Company='" + kompanija + "'," +
" [Last Name]='" + prezime + "'," +
" [First Name]='" + ime + "'," +
" [E-mail Address]='" + email + "' ," +
" [Job Title]='" + zvanje +"'," +
" [Business Phone]='" + busTelefon + "'," +
" [Home Phone]='" + telefon + "'," +
" [Mobile Phone]='" + mobTelefon + "'," +
" [Fax Number]='" + fax + "'," +
" Address='" + adresa + "'," +
" City='" + grad + "'," +
" [State/Province]='" + okrug + "'," +
" [ZIP/Postal Code]='" + postanskiBroj + "'," +
" [Country/Region]='" + zemlja + "'," +
" [Web Page]='" + web + "'," +
" Notes='" + beleska + "' WHERE ID="+iD);
command.CommandText = cmdText;
conn.Open();
command.ExecuteNonQuery();
conn.Close();
And this SQL don't work. The same error like previous.
Solution
When your fields names contain a space or other misleadings characters like the / (division operator) you need them to be enclosed in square brackets
string cmdText = @"INSERT INTO Employees
(ID, Company, [Last Name], [First Name], [E-mail Address],
.., [State/Province], ....) VALUES (....)";
Also you are not using parameters in your query. String.Format is just another type of string concatenation that cannot protect you by invalid inputs (for example, try to use a single quote in your lastname value) and cannot save your code from Sql Injection vulnerability.
You should always use parameterized queries
string cmdText = @"INSERT INTO Employees ( your_field_list_comma_sep)
VALUES (@id, @company, @lastname, @firstname,
......)";
OleDbCommand cmd = new OleDbCommand(cmdText, conn);
cmd.Parameters.Add("@id", OleDbType.Integer).Value = iD;
cmd.Parameters.Add("@company", OleDbType.VarWChar).Value = kompanija;
cmd.Parameters.Add("@lastname", OleDbType.VarWChar).Value = prezime;
cmd.Parameters.Add("@firstname", OleDbType.VarWChar).Value = ime;
....
// add all the other parameters with their name and type
....
cmd.ExecuteNonQuery();