ExecuteNonQuery Incorrect syntax near ','
Question
sqlCommand1 = new SqlCommand("INSERT INTO dbo.Orders(Title,Seats,Payment,DateNTime)"+
"VALUES ('"+ movieName+"',"+numTickets+",'"+creditCardType+"',"+DateTime.Now+")", sqlConnection1);
sqlCommand1.Connection.Open();
sqlCommand1.ExecuteNonQuery();
sqlCommand1.Connection.Close();
No idea what's wrong with this piece of code. Title and Payment are stored as nvarchar types, Seats as an int and DateNTime as DateTime. Can someone help me with this?
Thanks in advance
5 answers
solution1
2 2016-05-17 10:00:27
Need quotes for dates as well:
,'" + DateTime.Now.ToString("yyyyMMdd") + "')"
But this is very dangerous code you know. You really should use parametrized query for such things!
You will be in trouble if user enters in Title textbox something like this:
some text', 1, 1, '20100101'); drop table dbo.Orders--
And you are fired the same day.
solution2
1 2016-05-17 10:02:23
Very likely the error lies here:
... ,"+DateTime.Now+")"
You must make sure, that the string expression for DateTime.Now is parseable in SQL.
- Do not put your values into the SQL comman (read about SQL injection)
- Read about parameters and how to pass them
- Never rely on culture dependant date-time-formats... (read about ISO8601 or ODBC)
solution3
1 2016-05-17 10:06:33
Guessing this is called from c# code, you should use parameters instead of concatenating strings into sql statements.
This will both protect you from sql injection attacks and fix your syntax error:
This code should probably work for you, though it's written right here and I didn't test it:
using (var sqlConnection1 = new SqlConnection("ConnectionString"))
{
using (var sqlCommand1 = new SqlCommand("INSERT INTO dbo.Orders(Title,Seats,Payment,DateNTime)" +
"VALUES (@movieName, @numTickets, @creditCardType, @DateTime.Now)", sqlConnection1))
{
sqlCommand1.Parameters.Add("@movieName", SqlDbType.VarChar).Value = movieName;
sqlCommand1.Parameters.Add("@numTickets", SqlDbType.VarChar).Value = numTickets;
sqlCommand1.Parameters.Add("@creditCardType", SqlDbType.Int).Value = creditCardType;
sqlCommand1.Parameters.Add("@movieName", SqlDbType.DateTime).Value = DateTime.Now;
sqlCommand1.Connection.Open();
sqlCommand1.ExecuteNonQuery();
}
}
solution4
0 2016-05-17 10:01:11
Try to use following
sqlCommand1 = new SqlCommand("INSERT INTO dbo.Orders(Title,Seats,Payment,DateNTime)"+
"VALUES ('"+ movieName+"',"+numTickets+",'"+creditCardType+"','"+DateTime.Now+"')", sqlConnection1);
sqlCommand1.Connection.Open();
sqlCommand1.ExecuteNonQuery();
sqlCommand1.Connection.Close();
Even after that modification, if you are getting error, please tell datatype of Title,Seats,Payment,DateNTime
solution5
0 2016-05-17 10:04:04
You have format date part also.
sqlCommand1 = new SqlCommand("INSERT INTO dbo.Orders(Title,Seats,Payment,DateNTime)"+
"VALUES ('"+ movieName+"',"+numTickets+",'"+creditCardType+"','"+DateTime.Now.ToString("yyyyMMdd")+"')", sqlConnection1);
sqlCommand1.Connection.Open();
sqlCommand1.ExecuteNonQuery();
sqlCommand1.Connection.Close();
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.