IN SQL Query Error “”Incorrect syntax near '0)'." in c#

Question

SqlConnection con = new SqlConnection(@"Data Source=HAMMAD2-PC\SQLEXPRESS;Initial Catalog=StockManagement;Integrated Security=True");
con.Open();

SqlCommand cmd = new SqlCommand(@"INSERT INTO [StockManagement].[dbo].[Product] ([ProductID], [ProductName], [SalePrice], [PurchasePrice], [Status])
 VALUES ('" + pcodetxt.Text + "','" + pnametxt.Text + "','" + rtlpricetxt + "','" + purpricetxt.Text + "','" + statuscbox.SelectedIndex+")'",con);

cmd.ExecuteNonQuery();
con.Close();

This code causes an error

Incorrect syntax near '0)'

What is the solution?

I'm using Visual Studio 2012 and SQL Server

Answer 1

There wouldn't be such an error if you have used parameters, plus you would be protected from "SQL injection attack". ie:

using (SqlConnection con = new SqlConnection(@"server=.\SQLEXPRESS;Initial Catalog=StockManagement;Integrated Security=True"))
using (SqlCommand cmd = new SqlCommand(@"INSERT INTO [StockManagement].[dbo].[Product]
   ([ProductID]
   ,[ProductName]
   ,[SalePrice]
   ,[PurchasePrice]
   ,[Status])
VALUES
   (@pid, @pname, @salePrice, @purPrice, @status)", con))
{
    cmd.Parameters.Add("@pid", SqlDbType.Int).Value = int.Parse(pcodetxt.Text);
    cmd.Parameters.Add("@pname", SqlDbType.VarChar).Value = pnametxt.Text;
    cmd.Parameters.Add("@salePrice", SqlDbType.Money).Value = decimal.Parse(rtlpricetxt);
    cmd.Parameters.Add("@purPrice", SqlDbType.Money).Value = decimal.Parse(purpricetxt.Text);
    cmd.Parameters.Add("@status", SqlDbType.Int).Value = statuscbox.SelectedIndex;

    con.Open();
    cmd.ExecuteNonQuery();
    con.Close(); // This is not needed: it is done by the implicit Dispose when exiting the using block
}

Answer 2

The error is because you're missing a closing quote in your sql statement, but you shouldnt be creating your statement manually with string manipulation in any case - this is very error prone, and extremely unsafe!

Use declared parameters instead. See What's the best method to pass parameters to SQLCommand?

Answer 3

Incorrect Syntax near X, tries to show you that there is some thing wrong just before or after the X.

In your query you have placed ' in wrong place

So just rewrite it as below:

SqlCommand cmd = new SqlCommand(@"INSERT INTO [StockManagement].[dbo].[Product] ([ProductID], [ProductName], [SalePrice], [PurchasePrice], [Status])
 VALUES ('" + pcodetxt.Text + "','" + pnametxt.Text + "','" + rtlpricetxt + "','" + purpricetxt.Text + "','" + statuscbox.SelectedIndex+"')",con);

Note: Using following code you put your self in the scope of the SQL Injection vulnerability, so you should always try to write the code as @CetinBasoz posted or other similar methods that makes you secure against the similar vulnerabilities.