SqlConnection con = new SqlConnection(@"Data Source=HAMMAD2-PC\SQLEXPRESS;Initial Catalog=StockManagement;Integrated Security=True");
con.Open();
SqlCommand cmd = new SqlCommand(@"INSERT INTO [StockManagement].[dbo].[Product] ([ProductID], [ProductName], [SalePrice], [PurchasePrice], [Status])
VALUES ('" + pcodetxt.Text + "','" + pnametxt.Text + "','" + rtlpricetxt + "','" + purpricetxt.Text + "','" + statuscbox.SelectedIndex+")'",con);
cmd.ExecuteNonQuery();
con.Close();
This code causes an error
Incorrect syntax near '0)'
What is the solution?
I'm using Visual Studio 2012 and SQL Server
There wouldn't be such an error if you have used parameters, plus you would be protected from "SQL injection attack". ie:
using (SqlConnection con = new SqlConnection(@"server=.\SQLEXPRESS;Initial Catalog=StockManagement;Integrated Security=True"))
using (SqlCommand cmd = new SqlCommand(@"INSERT INTO [StockManagement].[dbo].[Product]
([ProductID]
,[ProductName]
,[SalePrice]
,[PurchasePrice]
,[Status])
VALUES
(@pid, @pname, @salePrice, @purPrice, @status)", con))
{
cmd.Parameters.Add("@pid", SqlDbType.Int).Value = int.Parse(pcodetxt.Text);
cmd.Parameters.Add("@pname", SqlDbType.VarChar).Value = pnametxt.Text;
cmd.Parameters.Add("@salePrice", SqlDbType.Money).Value = decimal.Parse(rtlpricetxt);
cmd.Parameters.Add("@purPrice", SqlDbType.Money).Value = decimal.Parse(purpricetxt.Text);
cmd.Parameters.Add("@status", SqlDbType.Int).Value = statuscbox.SelectedIndex;
con.Open();
cmd.ExecuteNonQuery();
con.Close(); // This is not needed: it is done by the implicit Dispose when exiting the using block
}
The error is because you're missing a closing quote in your sql statement, but you shouldnt be creating your statement manually with string manipulation in any case - this is very error prone, and extremely unsafe!
Use declared parameters instead. See What's the best method to pass parameters to SQLCommand?
Incorrect Syntax near X, tries to show you that there is some thing wrong just before or after the X.
In your query you have placed '
in wrong place
So just rewrite it as below:
SqlCommand cmd = new SqlCommand(@"INSERT INTO [StockManagement].[dbo].[Product] ([ProductID], [ProductName], [SalePrice], [PurchasePrice], [Status])
VALUES ('" + pcodetxt.Text + "','" + pnametxt.Text + "','" + rtlpricetxt + "','" + purpricetxt.Text + "','" + statuscbox.SelectedIndex+"')",con);
Note: Using following code you put your self in the scope of the SQL Injection vulnerability, so you should always try to write the code as @CetinBasoz posted or other similar methods that makes you secure against the similar vulnerabilities.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.