Syntax error in Insert query in Mysql in VB.Net

Question

I am doing project in VB.NET and backend is mysql

Can you please tell me where the error is occured

Public Sub ins()
    con.Open()
    Dim cmd1 As New OdbcCommand("insert into party values('" + pcode_txt.Text + "','" + Trim(UCase(name_txt.Text)) + "','" + Trim(UCase(addr_txt.Text)) + "','" + phone_txt.Text + "','" + combo_route.SelectedItem + "','" + combo_area.SelectedItem + "'", con)
    cmd1.ExecuteNonQuery()
    con.Close()
End Sub

The error i get is:

ERROR [42000] [MySQL][ODBC 3.51 Driver][mysqld-5.6.24]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

Answer 1

you miss the closing parenthesis for the values list:

Dim cmd1 As New OdbcCommand("insert into party values('" + pcode_txt.Text + "','" + Trim(UCase(name_txt.Text)) + "','" + Trim(UCase(addr_txt.Text)) + "','" + phone_txt.Text + "','" + combo_route.SelectedItem + "','" + combo_area.SelectedItem + "')", con)

My answer is perfectly fit to your question but as suggested in the comments have clear that string concatenation is not a dependable way to build queries.

A more secure solution is based on parameters. If possible avoid the creation of sql code in the application and rely upon server statements (stored procedures and/or views).