Insert into access database Query Error in C#

Question

OleDbConnection my_con = new OleDbConnection(@"Provider=Microsoft.ACE.OLEDB.12.0;
                             Data Source=C:\\Users\\SS\\Documents\\131Current1\\125\\Current one\\ClinicMainDatabase.accdb");
my_con.Open();

OleDbCommand o_cmd1 = my_con.CreateCommand();
o_cmd1.CommandText = "INSERT INTO Personal_Details(Date,Time,Patient_Name,Contact_Number,Gender,Allergic_To,KCO) VALUES ('" + DateTime.Now.ToString("dd-MM-yyyy") + "','" + DateTime.Now.ToString("h:mm:ss tt") + "','" + txtPatientName.Text + "','" + txtContactNo.Text + "','" + comboBoxGender.Text + "','" + txtAllergic.Text + "','" + txtKCO.Text + "')";

int j = o_cmd1.ExecuteNonQuery();

I am getting the Syntax error in Insert Statement I don't understand what is mistake if any one help me I am really thank full.Thanks in Advance.

Answer 1

Date and Time are typically reserved keywords in many database systems. You should at the very least wrap them with [ ]. More preferably, if you are designing the table, change the field name to something more descriptive. For example if the Date and Time represented a reminder then you could use ReminderDate and ReminderTime so as not to interfere with reserved keywords.

And follow the parameter advice that's already been given.

Answer 2

Use command parameters instead of concatenating strings. Your code is open for SQL Injection attacks or in your specific case the problem may be related with invalid user input. Try to thing about this situation: What if the txtContactNo.Text returns this string "Peter's contact is +123456" ? How does the SQL query will look then? Pay close attention to ' character.

You should ALWAYS use parametrized SQL queries no matter how good you thing your input validation is. It also has more advantages like query plan caching etc.

So in your case the code must be written like this:

OleDbConnection my_con = new OleDbConnection(@"Provider=Microsoft.ACE.OLEDB.12.0;
                             Data Source=C:\\Users\\SS\\Documents\\131Current1\\125\\Current one\\ClinicMainDatabase.accdb");
using(my_con)
{
   my_con.Open();

   using(OleDbCommand o_cmd1 = my_con.CreateCommand())
   {
       o_cmd1.CommandText = @"
INSERT INTO Personal_Details ([Date],  [Time],  Patient_Name, Contact_Number, Gender,  Allergic_To, KCO) 
VALUES                       (@date, @time, @name,        @contNo,        @gender, @alergic,    @kco)";

       o_cmd1.Parameters.AddWithValue("@date", DateTime.Now.ToString("dd-MM-yyyy"));
       o_cmd1.Parameters.AddWithValue("@time", DateTime.Now.ToString("h:mm:ss tt"));
       o_cmd1.Parameters.AddWithValue("@name", txtPatientName.Text);
       o_cmd1.Parameters.AddWithValue("@contNo", txtContactNo.Text);
       o_cmd1.Parameters.AddWithValue("@gender", comboBoxGender.Text);
       o_cmd1.Parameters.AddWithValue("@alergic", txtAllergic.Text);
       o_cmd1.Parameters.AddWithValue("@kco", txtKCO.Text);

       o_cmd1.ExecuteNonQuery();
   }

}

Also make sure that you are properly disposing the connection and the command objects (by using :) the using keyword)

For more info read the docs in MSDN https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparametercollection.addwithvalue(v=vs.110).aspx