Syntax error in INSERT INTO statement c#

-1

I am trying to create an order form using C# and am attempting to link this order form into a Access database using OleDB in Visual Studio. However when i attempt to Save an Order to the database i keep getting a syntax exception as listed below

Error System.Data.OleDb.OleDbException (0x80040E14): Syntax error in INSERT INTO statement.
at
System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDb HResult hr)
at
System.Data.OleDb.OleDbCommand.ExecuteCommandTextFprSingleResult(tagD BPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteNonQuery()
at AccessLoginApp.OrderForm.btn_Save_Click(Object sender, EventArgs e) in c:\Users\skyscarer\Documents\Visual Studio 2013\Projects\AccessLoginApp\OrderForm.cs: line 214

The offending code which the exception is point to seems to be in the btn_Save_Click event. The code for this is displayed below.

private void btn_Save_Click(object sender, EventArgs e)
    {
        try
        {
            connection.Open();
            OleDbCommand command = new OleDbCommand();
            command.Connection = connection;
            command.CommandText = "insert into OrderForm(Customer Name, Address, Telephone Number, Post Code) values('" + customerName.Text + "', '" + addrBox.Text + "', '" + telephoneNumber.Text + "', '" + postCode.Text + "')";
            //command.CommandText = "insert into OrderForm (Customer Name, Address, Telephone Number, Post Code, Date Ordered, Due Date, Pick Up / Delivery, Item, Quantity, Size, Price) values ('"+customerName.Text+"', '"+addrBox.Text+"', '"+telephoneNumber.Text+"', '"+postCode.Text+"', '"+dateOrderedBox.Text+"', '"+dueDate.Text+"', '"+cBoxPickDeliver.Text+"', '"+itemBox.Text+"', '"+Quantity.Text+"', '"+sizeBox.Text+"', '"+price.Text+"')";
            command.ExecuteNonQuery();
            MessageBox.Show("Order Inserted into Database");
        }
        catch (Exception ex)
        {
            MessageBox.Show("Error " + ex);
        }
    }

However the line that the exception points to is just the command.ExecuteNonQuery() code so i am unsure as to what the exception is trying to say and as such am unsure what is wrong with my code. If anybody can help me on this, it would be greatly appreciated. Cheers

c#
database
oledb
asked on Stack Overflow Jul 14, 2015 by user3158314

1 Answer

1

try:

"insert into OrderForm ([Customer Name], Address, [Telephone Number], [Post Code]) values('" + customerName.Text + "', '" + addrBox.Text + "', '" + telephoneNumber.Text + "', '" + postCode.Text + "')";

Also you should consider using parameters since you are open to sql injection

answered on Stack Overflow Jul 14, 2015 by apomene

User contributions licensed under CC BY-SA 3.0