string query = "insert into TraineeDetail values('" + trainee.TyNo + "','" +
trainee.PersonalNumber.ToString() + "','" + trainee.TraineeName.ToString() + "','" +
trainee.Rank.ToString() + "','" + trainee.Division.ToString() + "','" + trainee.ENMATEL + "','" +
trainee.ENMATMECH + "','" + trainee.ENMATGSC + "','" + trainee.MAXM.ToString() + "','" +
trainee.SUBBR.ToString() + "') order by MAXM desc ";
i m getting error- missing semicolon (;) at the end of the sql statement
any solution
INSERT statements are used for just that. Inserting data.
You appear to be using it combined with an ORDER BY. What do you intend to order?
ORDER BY is generally used when you are SELECT'ing data. As in, "I want this data, but order it in this way before you show it to me".
Remove the ORDER BY and your query will work.
Please also investigate SQL injection and SqlParameters. As it is, your code is very insecure.
Related
I'm trying to remake my system and my older system is 100% working, but when I changed something (I added a lot of columns in ms access database) I did the correct format in inserting data of each textboxes but it still says "error in insert into statement".
This is my code. Please take your time reading the query for that is only the error I got. I double checked the spelling or capitalization on each field from database as well as here.
try
{
connection.Open(); //open connection
OleDbCommand command = new OleDbCommand(); // command object , we can execute to validate our database
command.Connection = connection; // make a connection for the command
command.CommandText = " insert into StudentsRecord([StudentID],Name,Section,Semester,MathPrelim,MathMidterm,MathFinals,MathAverage,MathFinalGrade,EnglishPrelim,EnglishMidterm,EnglishFinals,EnglishAverage,EnglishFinalGrade,SciencePrelim,ScienceMidterm,ScienceFinals,ScienceAverage,ScienceFinalGrade,StatisticsPrelim,StatisticsMidterm,StatisticsFinals,StatisticsAverage,StatisticsFinalGrade,ReadandWritePrelim,ReadandWriteMidterm,ReadandWriteFinals,ReadandWriteAverage,ReadandWriteFinalGrade) values ('" + txtStudentID.Text + "' , '" + txtName.Text + "' , '" + txtSection.Text + "' , '" + cmbSemester.SelectedItem + "', '" + txtMathp.Text + "' , '" + txtMathm.Text + "' , '" + txtMathf.Text + "' , '" + txtMatha.Text + "' , '" + txtMathFG.Text + "' , '" + txtEnglishp.Text + "' , '" + txtEnglishm.Text + "', '" + txtEnglishf.Text + "','" + txtEnglisha.Text + "','" + txtEnglishFG.Text + "','" + txtMathFG.Text + "','" + txtSciencep.Text + "','" +txtSciencem.Text+ "','" + txtSciencef.Text + "','" + txtSciencea.Text + "','" + txtScienceFG.Text + "','" + txtStatisticsp.Text + "','" + txtStatisticsm.Text + "','" + txtStatisticsf.Text + "','" + txtStatisticsa.Text + "','" + txtStatisticsFG.Text + "','" + txtReadandWritep.Text + "','" + txtReadandWritem.Text + "','" + txtReadandWritef.Text + "','" + txtReadandWritea.Text + "','" + txtReadandWriteFG.Text + "')";
/* this is a string or a query used to execute. asterisk is used
to give you all column data from your database ,declaration of query */
command.ExecuteNonQuery(); // this is used to inserting data , updating or deleting data , this command will execute the above query
MessageBox.Show(" Saved! ");
}
catch (Exception a)
{
MessageBox.Show(" Error " + a.Message);
}
connection.Close();
I see in the first part you have 29 fields, but the inserted fields are 30...
In addition, you should use parameterized queries to avoid sql injection.
You need to debug codes and paste your CommandText to SSMS(SQL Sever Management Studio) to figure out errors.
Other suggestions:
command.CommandText = string.format("insert into StudentsRecord(..) VALUES(#...)); sql params to avoid sql injection
using(SqlConnection conn = ...)
Already solved the problem just now by putting [ ] on each field. which will be something like this:
insert into StudentsRecord(
[StudentID],[Name],[Section],[Semester],
[MathPrelim],[MathMidterm],[MathFinals]
) values ('"++"'..) ... etc.
Thanks everyone who tried to help me, have a good day!
I am trying to save some data to access DB but the date is stored in incorrect format
dbCommand.CommandText = "insert into Clients(Name,Gender,PhoneNumber,ReciveServiceDate)
values ('" + name_txtBox.Text + "','" + gender_comBox.Text + "',"
+ long.Parse(phone_txtBox.Text) + ","
+ (recive_dateTimePicker.Value).ToShortDateString() + ");";
Listen to Jon's advice.
However, if you insist, you can do it like this:
+ (recive_dateTimePicker.Value).ToString("#yyyy'/'MM'/'dd#") + ");";
im trying to insert some data into a sql server and the code worked fine untill i added the #instel at the end. when i added that i got the error "Error converting data type varchar to numeric." even if i leave the textbox empty.
i had it as a textbox but since i got the error i tried to have it as a variable but it still did not fix the issue. the code works for the REL thats to be inserted and that is also a int. also the database and textbox properties of REL and #instel are the same. i also tried to make the variable a int but it did not change anything. if anyone knows why this is and could help me out it would be appriciated.
SqlCommand slMEVO_NAW = new SqlCommand(#"insert into NAW(REL,NAAM,BTW_CODE,TAV,STR,PL,LAND,PLBOX,TAAL,COUNTRY_C,TEL,FAX,EMAIL,XMAS,TEL2,STR1,INSTELINCL,INCOTERMS,PRODDAT,INSTEL) values('" + this.Txtbx_RelNmmr.Text + "','" + this.Txtbx_Bedrijf.Text + "','" + this.Txtbx_BtwCode.Text + "','" + this.Txtbx_Tav.Text + "','" + this.Txtbx_HuisAdres.Text + "','" + this.Txtbx_PstCde.Text + "','" + this.Txtbx_Land.Text + "','" + this.Txtbx_PstBs.Text + "','" + this.Txtbx_Taal.Text + "','" + this.Txtbx_LndCode.Text + "','" + this.Txtbx_Telnmmr.Text + "','" + this.Txtbx_Fax.Text + "','" + this.Txtbx_Email.Text + "','" + this.Txtbx_Xmas.Text + "','" + this.Txtbx_telnmmr2.Text + "','" + this.Txtbx_BezAdres.Text + "','" + this.TBX_Instelkstn.Text + "','" + this.Txtbx_Incot.Text + "','" + this.TBX_PrdctDtm.Text + "','#INSTEL' );", Connectie.connMEVO_NAW);
slMEVO_NAW.Parameters.Add("#INSTEL", SqlDbType.VarChar).Value = Txtbx_InstelKsten.Text;
FIX
it seems that after i changed it to all parameters it only gives the error if the textbox is empty so i just make the program set the text to 0 before it does the query right now
The type of field in your table might be as Integer or Numeric, change to Varchar.
as i stated in the main post after a edit i found a way to work around the problem
FIX it seems that after i changed it to all parameters it only gives the error if the textbox is empty so i just make the program set the text to 0 before it does the query right now
Am trying to insert a record into my database using a function that consists of 11 arguments as input. The function is as follows:
public int check_in_visitor(int visitor_id,String date_in, String date_out,
String time_in, int check_in, int check_out, String employer,
String vehicle_number, int manual_entrychk, String time_out)
The corresponding query for it:
String query = "insert into visitor values('"+visitor_id +"','" +
date_in + "','" + date_out + "','" + time_in + "'," + check_in +
",'" + check_out + "'," + employer + ",'" + vehicle_number + "'," +
manual_entrychk + ",'" + time_out + "')
its always giving errors like expression incorrect! Please help me solve the issue
Use SqlParameter..
That way you would avoid sql injection attack,enclosing data with ' or " & other issues..
String query = "insert into visitor values(#visitor_id,#date_in,#date_out,#time_in,#check_in,#check_out,#employer,#vehicle_number, #manual_entrychk,#time_out)";
SqlCommand command = new SqlCommand(query, connection);
command.Parameters.Add(new SqlParameter("visitor_id", visitor_id));
command.Parameters.Add(new SqlParameter("date_in", date_in));
....
command.ExecuteNonQuery();
You are missing to close the Query String with double quotes.
String query = "insert into visitor values('"+visitor_id +"','" + date_in + "','" + date_out + "','" + time_in + "'," + check_in + ",'" + check_out + "'," + employer + ",'" + vehicle_number + "'," + manual_entrychk + ",'" + time_out + "')";
Note1 : all VARCHAR feilds should be enclosed in single quotes properly.
Note 2: all INT feilds should not be enclosed with single quotes.
Note 3: your query is open to SQL injection attaks. please use parameterised queries.
untill unless you provide the feild types its defficult to solve the problem.
use string.format. Like string query = string.Format("insert into visitor values ('{0}','{1}'...",vistor_id ...); This syntax is a lot easier to troubleshoot and avoids the string concatenations. You should also consider not using data that's not fully trusted in your query (like anirudh mentioned in his reply), if that's an option at all.
if query below doesnt help you, please tell what is the error returned?
string query = "insert into visitor values ("+visitor_id+ ","+ date_in +","+date_out
+","+time_in+","+check_in+","+check_out+","+employer+","+vehicle_number+","
+manual_entrychk+","+time_out+")";
I'm trying to insert some data into my table and that's how I try to do it
INSERT INTO OrdersDetail
Values (" + OrderId.Text + ", (SELECT IdProduct FROM Products WHERE ProductName = '" + listBox1.Text + "'), '" + TypeOfProductComboBox.Text + "', '" + OrderQuantity.TextAlign + "', '" + TotalCost.Text + "'");
and I'm geting error I think my syntax is wrong, I'm use query in query to get the product id.
The columns are :
OrderId (int)
ProductId(int)
ProductName(Nvarchar)
OrderQuantity(Nvarchar)
TotalCost(NvarChar)
Thanks
You set your inside SELECT under '. Should be:
var query = "INSERT INTO OrdersDetail Values (" + OrderId.Text + ", (SELECT IdProduct FROM Products WHERE ProductName = '"+ listBox1.Text + "'), '" + TypeOfProductComboBox.Text + "', '" + OrderQuantity.TextAlign + "', '" + TotalCost.Text + "')");
If for example TotalCost.Text is a numeric data type in SQL, use
"..." + OrderQuantity.TextAlign + "', " + Convert.ToDouble(TotalCost.Text) + ")";
As p.s.w.g stated: This is open for SQL injection. Replace it with a parameterized version!
I think the problem is with the first Line and your inside Select.
This should work
INSERT INTO OrdersDetail
Values ('" + OrderId.Text + "',(SELECT IdProduct FROM Products WHERE ProductName ='"+ listBox1.Text + "')," + TypeOfProductComboBox.Text + "','" + OrderQuantity.TextAlign + "','" + TotalCost.Text + "'");
The problem is that you are missing the last bracket, the query should finish with "')" instead of "'" . The initial code started with opening bracket and that is why you didn't get compile errors.
But you should not create such sql queries, use Parameters to avoid SQL injection attacks. You code is vulnerable to them.