I have been experiencing problems to add text from a text box into an access database. It is a long piece of text and when I keep it to 3 or 4 sentences it is inserted with no errors but as soon as it appears to be too long I get the following error...System.Data.OledbException syntax error (missing operator)in the query expression.
I have a method in the web service which adds the information and it is with the length of the one textbox insersiont(in this case a review to a book) that causes the error.
Another odd feature to the web page is that the submit button fires only upon the second click...there is a post back on the first click and then only on the second click does the information actually insert into the databse. I do not think however that this is the reason for the initial error of not being able to insert a paragraph into the access database(the field of which I have set to memo).
Any possibility to shed some light as to why the error is occuring.
here is my actuall web method.
[WebMethod]
public void bookRatedAdd(string title, int rating, string review, string ISBN, string userName)
{
OleDbConnection conn;
conn = new OleDbConnection(#"Provider=Microsoft.Jet.OleDb.4.0;
Data Source=" + Server.MapPath("App_Data\\BookRateInitial.mdb"));
conn.Open();
OleDbCommand cmd = conn.CreateCommand();
cmd.CommandText = #"INSERT INTO bookRated([title], [rating], [review], [frnISBN], [frnUserName])VALUES('" + title + "', '" + rating + "','" + review + "','" + ISBN + "', '" + userName + "')";
cmd.ExecuteNonQuery();
conn.Close();
}
It is with review where I get the error, the field of which I set to memo(in the access database.
Perhaps the review you're inserting into the database has single quotes in it? I ask because I don't see that they're getting escaped (turned into two single-quotes) in the code building the query, i.e.:
cmd.CommandText = #"INSERT INTO bookRated([title], [rating], [review], [frnISBN], [frnUserName])VALUES('" + title.Replace("'", "''") + "', '" + rating.Replace("'", "''") + "','" + review.Replace("'", "''") + "','" + ISBN + "', '" + userName + "')";
Related
I need help! I write software for database management for the course. I can not complete the transaction by inserting data. I am from Ukraine and use Ukrainian data on database, but the transaction is not completed bringing the error "Incorrect string value: '\ xD0 \ xB2' for column 'User_name' at row 1 "} System.Exception {MySql.Data .MySqlClient.MySqlException}
" I read all the articles on the stack overflow but nothing helped me(
i use SET NAMES 'utf8'(cp1251, utf8mb4, koi8r, win1251, cp866 and other) but nothing work(help, the problem may be encoded on the development environment?
i use MySql.Data.MySqlClient or MySQL.dll
connect code ->
connStr = "server= localhost;user=root;charset=utf8mb4;database=DB_Journal;port=3306;password=masterkey;"conn = new MySqlConnection(connStr);
and insert ->
conn.Open();
string sql = "insert into Users(User_id, User_name, User_surname, User_fname, Login, UType_id, Password,Secret,Answer) values (null, '" +
textBox1.Text + "', '" + textBox2.Text + "', '"
+ textBox4.Text + "', '" + textBox3.Text + "', '"
+ usr + "', '" + pass + "', '"
+ richTextBox1.Text + "', '"
+ textBox7.Text + "')";
MySqlCommand cmd = new MySqlCommand(sql, conn);
cmd.ExecuteNonQuery();
(I'm sorry, I can write not correctly, but i study hard)
I don't know what you are trying to accomplish with SET NAMES, but it probably does not do what you think it does. (Besides, its documentation explicitly says that it won't work with utf8.)
It is kind of hard to tell without seeing your CREATE TABLE statement, but what is probably happening is that you have declared your User_name etc. columns as being of type CHAR or VARCHAR while in fact they should be of type NCHAR or NVARCHAR.
I am having a very annoying issue with a program I am currently making. In the program a teacher with admin status can add a user to a students_tbl Table in an SQL database by adding in relevant information. The following code adds a Student to the student_tbl in C#.
string studentAdd = "Insert Into student_tbl(Forename, Surname, SchlYear, InOrOut, Block1, Block2, Block3, Block4, Pword) Values (#forename, #surname, '" + SchlYear + "', '" + inOrOut + "' , '" + Blocks[0] + "', '" + Blocks[1] + "', '" + Blocks[2] + "', '" + Blocks[3] + "', #password)";
SqlCommand studentAddCommand = new SqlCommand(studentAdd, con);
studentAddCommand.Parameters.Add(new SqlParameter("#forename", Forename));
studentAddCommand.Parameters.Add(new SqlParameter("#surname", Surname));
studentAddCommand.Parameters.Add(new SqlParameter("#password", hashedPassword));
studentAddCommand.ExecuteNonQuery();
MessageBox.Show("Student Added Successfully");
con.Close();
The variables added in to the table come from results and are simply just names, integers and bools, nothing complex.
The issue I am having is that this data is inaccessible when trying to log in as a student added via this system. If a user is added manually through SSMS then it works fine. Is this something ridiculously basic I am missing, as if I was to add a user ie. 'Joe Bloggs', and search
Select UserID from student_tbl Where Forename = 'Joe'
It simply finds nothing.
Does anybody have any glaring issues I am missing, or not declaring etc? I am able to provide any more information if it could lead to a solution. Thanks.
According to #Jeroen van Langen comment, try to trim values:
studentAddCommand.Parameters.Add(new SqlParameter("#forename", Forename.Trim()));
studentAddCommand.Parameters.Add(new SqlParameter("#surname", Surname.Trim()));
MySqlCommand cmd1 =
new MySqlCommand(
"INSERT INTO quotedetails (name, address, district, date, forto, refto, total) VALUES('" + txttoname.Text + "', '" + txttoaddress.Text.Replace("\r\n", "<br />").ToString() + "', '" + txtdistrict.Text + "' , '" + dateTimePicker1.Value.Date.ToString("yyyy-MM-dd") +"', '" + txtfor.Text + "', '" + txtref.Text + "', '" + txttotal.Text + "')", conn);
{
Can I get some help please? Im getting Column count doesn't match value count at row 1 when the command1 is executed.
You should never use SQLs like this. It is prone to SQL Injection attacks. When you use it like yours, one can steal confidential information from database or even delete your tables, data etc. For details please read SQL Injection on wiki
Instead you should use parameterized SQL queries. In that way you are safe from injection attacks and I believe it is much more practical to write sql.
In your case entering single ' char into one of the textboxes will cause your query to get exception. To fix the issue just use prameters.
For your case you can write something like that.
string sqlString = #"INSERT INTO quotedetails (
name,
address,
district,
date,
forto,
refto,
total)
VALUES (
#PAR_name,
#PAR_address,
#PAR_district,
#PAR_date,
#PAR_forto,
#PAR_refto,
#PAR_total)";
MySqlCommand cmd1 = new MySqlCommand(sqlString, conn);
cmd1.Parameters.AddWithValue("PAR_name", txttoname.Text);
cmd1.Parameters.AddWithValue("PAR_address", txttoaddress.Text.Replace("\r\n", "<br />"));
cmd1.Parameters.AddWithValue("PAR_district", txtdistrict.Text);
cmd1.Parameters.AddWithValue("PAR_date", dateTimePicker1.Value.Date);
cmd1.Parameters.AddWithValue("PAR_forto", txtfor.Text);
cmd1.Parameters.AddWithValue("PAR_refto", txtref.Text);
cmd1.Parameters.AddWithValue("PAR_total", txttotal.Text);
Please note that I use prefix PAR_ for my sql parameters, it is just a convention you can use that or skip PAR_ prefix does not matter and it is all about naming habits.
Additionaly; in a parameterized query, you don't need to convert all your values to string. You can use DateTime for your date field or you can pass int variable without using ToString() as you do before.
On the face of it, this happens when the number of values are more or less than columns provided.
From your statement, this does not seem to be the case. BUT since you are providing uielements directly into insert statement (Textbook case of SQL Injection), I am guessing there is a single quote ' in any of your ui elements, which breaks your insert statement.
MySqlCommand cmd1 = conn.CreateCommand();
cmd1.CommandText = "INSERT INTO quotedetails (name, address, district, date, forto, refto, total) VALUES('" + txttoname.Text + "', '" + txttoaddress.Text.Replace("\r\n", "<br />").ToString() + "', '" + txtdistrict.Text + "', '" + dateTimePicker1.Value.Date.ToString("yyyy-MM-dd") +"', '" + txtfor.Text + "', '" + txtref.Text + "', '" + txttotal.Text + "')";
Using SQL parameters will save you from lots of trouble as well as SQL injection.I am quite sure that if you use parameters your problem will be resolved:
MySqlCommand cmd1 = new MySqlCommand( "INSERT INTO quotedetails (name, address, district, date, forto, refto, total) VALUES(#name,#address,#district,#date,#forto,#refto,#total)", conn);
cmd1.Parameters.AddWithValue("#name",txttoname.Text);
cmd1.Parameters.AddWithValue("#address",+ txttoaddress.Text.Replace("\r\n", "<br />").ToString());
cmd1.Parameters.AddWithValue("#district",txtdistrict.Text);
...
I have the following code:
USE [DB] INSERT INTO Extract2_EventLog VALUES (" + li.userId + ", '" + li.startTime.ToString() + "', '" + li.endTime.ToString() + "', '" + li.elapsedTime.ToString() + (li.actionType == ActionType.REPORT ? "', 'report')" : "', 'extract')', '" + status + "'");
When I run this, I get the following error:
{"Incorrect syntax near ', '.\r\nUnclosed quotation mark after the
character string ''."}
I can't see what I'm doing wrong.. Anyone?
Man....Where to start with this...
First off, you should be using stored procedures that accept parameters (variables from your application code). Second, you should have a dataaccess layer in your application separating database calls and your user interface. I can't possible stress enough how important this is and how bad your current approach is. You will forever be fighting problems like this until you correct it.
But to address the question as it was asked...Your error is because your query string is malformatted. Use the debugging tools to view the string before it is sent to the database and then you should be able to quickly determine what is wrong with it. To troubleshoot, you can always cut and paste that string into SSMS, refine it there, and then make the necessary changes to your c# code.
First of all look at the answer of Stan Shaw, next take a look at the comment of Jon Skeet!
The first thing to do is stop building SQL like that... right now. Use parameterized SQL and you may well find the problem just goes away... and you'll be preventing SQL Injection Attacks at the same time.
They sayed everything that's important and just for the sake of giving you a direct answer:
You have a status + "'"); at your code which needs to be changed to status + "')"; ...
...like this one:
string statement = "USE [DB] INSERT INTO Extract2_EventLog VALUES (" + li.userId + ", '" + li.startTime.ToString() + "', '" + li.endTime.ToString() + "', '" + li.elapsedTime.ToString() + (li.actionType == ActionType.REPORT ? "', 'report')" : "', 'extract')', '" + status + "')";
Instead of concatenating values into your query you should use a parameterized query or a stored procedure.
A rewrite of your code could be something like (depending on datatypes, etc):
string commandText = "INSERT INTO Extract2_EventLog (userId, startTime, endTime, elapsedTime, actionType, [status]) VALUES (#userId, #startTime, #endTime, #elapsedTime, #actionType, #status)";
using (SqlConnection connection = new SqlConnection(connectionString))
{
SqlCommand command = new SqlCommand(commandText, connection);
command.Parameters.AddWithValue("#userId", li.userId);
command.Parameters.AddWithValue("#startTime", li.startTime);
command.Parameters.AddWithValue("#endTime", li.endTime);
command.Parameters.AddWithValue("#elapsedTime", li.elapsedTime);
command.Parameters.AddWithValue("#actionType", li.actionType == ActionType.REPORT ? "report" : "extract");
command.Parameters.AddWithValue("#status", status);
connection.Open();
int rowsAffected = command.ExecuteNonQuery();
Console.WriteLine("RowsAffected: {0}", rowsAffected);
}
You've forgot the " at the beginning. So your code reverts sql with non sql.
AND your example seems to be incomplete.
There is no error in the code, but no information is appearing in the database.
string mysql;
mysql = "INSERT INTO Cars(Make,Model,Price,[Image]) VALUES ('"
+ tbMake.Text + "','" + tbModel.Text + "'," + tbPrice.Text + ",'" + FileUpload1.FileName + "')";
siteDB.InsertCommand = mysql;
DataList1.DataBind();
Cheers.
With an Access database the word IMAGE is a reserved keyword.
If you want to use it you need to encapsulate with square brakets
"INSERT INTO Cars(Make,Model,Price,[Image]) VALUES ......"
This will resolve you immediate problem, but as John Skeet pointed out in its comment you need to use a parametrized query because this solves also the problem of proper formatting of your text values.
What happens to your handy crafted query if a model name (or make) contains a single quote?
Another syntax error is waiting for you (and from my experience it will bite you just when you have finished to code and are ready to work)
Just to complete the answer, feel free to test if in this way it adds the record to your db
mysql = "INSERT INTO Cars(Make,Model,Price,[Image]) VALUES (?,?,?,?)";
OleDbCommand cmd = new OleDbCommand(mysql, con);
cmd.Parameters.AddWithValue("#p1", tbMake.Text);
cmd.Parameters.AddWithValue("#p2", tbModel.Text);
cmd.Parameters.AddWithValue("#p3", Convert.ToDecimal(tbPrice.Text));
cmd.Parameters.AddWithValue("#p4", FileUpload1.FileName);
cmd.ExecuteNonQuery();
I am assuming siteDB is an SQLDataAdapter.
In this case your code should at least be changed to this:
string mysql;
mysql = "INSERT INTO Cars(Make,Model,Price,Image) VALUES ('"
+ tbMake.Text + "','" + tbModel.Text + "'," + tbPrice.Text + ",'" + FileUpload1.FileName + "')";
siteDB.InsertCommand = mysql;
DataList1.DataBind();