Incorrect Syntax Near 'ID'

Question

private void btnID_Click(object sender, EventArgs e)
    {
      //Set Up Conncetion
        SqlConnection myconnection = new SqlConnection(global::Database_connection_inForm.Properties.Settings.Default.Database1ConnectionString);
        try
        {
           string sql = "INSERT INTO Students(Student ID,Student Name) values("+txtID.Text+",'"+txtName.Text+"')";
           //Command object

           SqlCommand exeSql = new SqlCommand(sql, myconnection);
           myconnection.Open(); //Opening connection
           exeSql.ExecuteNonQuery();

           MessageBox.Show("Add new Record Done!","Message",MessageBoxButtons.OK,MessageBoxIcon.Information);
           this.studentsTableAdapter.Fill(this.database1DataSet.Students);



        }

        catch (Exception ex)
        {
            MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
        }

        finally
        {
            myconnection.Close();
        }
    }

    private void btnRef_Click(object sender, EventArgs e)
    {
        this.studentsTableAdapter.Fill(this.database1DataSet.Students);
    }
}

Answer 1

When a column name contains spaces you should always encapsulate that name with square brackets

sql = "INSERT INTO Students([Student ID],[Student Name]) ....." 

Said that, please remove your string concatenation and use a parameterized query ALWAYS. It is far better to use parameters instead of string concat. The main reason is to avoid Sql Injection but the parameter approach will also remove the quoting problem (IE a name = 'O'Brian' leads to a syntax error when using string concat)

private void btnID_Click(object sender, EventArgs e)
{
   try
   {
       string sql = "INSERT INTO Students([Student ID],[Student Name]) " + 
                    "values (@id, @name)";
        using(SqlConnection myconnection = new SqlConnection(....))
        using(SqlCommand exeSql = new SqlCommand(sql, myconnection))
        {
           myconnection.Open();
           exeSql.Parameters.AddWithValue("@id",Convert.ToInt32(txtID.Text));
           exeSql.Parameters.AddWithValue("@name",txtName.Text);
           exeSql.ExecuteNonQuery(); 
        }
   }
   .....

Also notice that I have converted the txtID.Text contents to an integer without any checking.
This could fail if your user types something that is not a valid numeric id (And if the Student ID is an Identity column then this value should never be passed in the INSERT statement)

As a final note. Do you really need these columns names? It is far better to have them without spaces otherwise you will get this problem every time you use this table

Answer 2

If your identifiers contain spaces, you have to delimit the identifier. The way you do that depends on the database you are using.

In SQL Server you use Square brackets:

string sql = "INSERT INTO Students([Student ID],[Student Name]) values(@Id,@Name)";

In MySQL you use backticks:

string sql = "INSERT INTO Students(`Student ID`,`Student Name`) values(@Id,@Name)";

Note that I have replaced the concatenated values in the queries with parameters. You should use parameterised queries, otherwise your code is wide open to SQL injection attacks.

Answer 3

First of all you did not Use Correct naming convention

you should use

StudentId Or Student_Id ( the first one is recommended)

when you have space between you column Names you should use "[" "]" and cover your column name

Answer 4

You have a space in column name

string sql = "INSERT INTO Students(Student ID,Student Name) values("+txtID.Text+",'"+txtName.Text+"')";

thats a problem - check a column name and use a right column name.