How to sort “Syntax error in insert into statement”

Question

For my computer science project I'm using an microsoft acccess database to create a quiz application in visual basic using windows forms. All of my select statements (using oledb to connect to the databse) work correctly and well; but this insert into statement always throws "Syntax error in Insert Into statement" but as far as I can see there is nothing wrong with it. The table in question is called 'Users', with fields 'UserID', 'FirstName', 'LastName', 'Username', 'Password', 'Teacher'; where UserID is an autonumber, teacher is boolean and the rest are strings.

Passwords will be hashed when I'm finished, but so it's easier to test they aren't just yet.

I've already tried entering values for the UserID even though it should automatically increment a value when a new record is entered. And several different methods of creating the insert into command.

Using oCmd As New OleDbCommand("Insert Into Users(FirstName, LastName, Username, Password, Teacher) 
    Values(@firstName, @lastName, @username, @password, 0)", myConnection)
    oCmd.Parameters.Add("@firstName", OleDbType.VarChar, 255).Value = txtFirstName.Text
    oCmd.Parameters.Add("@lastNamee", OleDbType.VarChar, 255).Value = txtLastName.Text
    oCmd.Parameters.Add("@username", OleDbType.VarChar, 255).Value = txtUsername.Text
    oCmd.Parameters.Add("@password", OleDbType.VarChar, 255).Value = txtPassword.Text
    oCmd.ExecuteNonQuery()
End Using

The 'txt...'.Text are text boxes where the user can enter a string for values they want, and myConnection is the connection to the database which is already open from other commands that have run and terminated. I would expect that a new record would be created in the users table with the values entered in the text boxes; but instead it just throws the error stated above.

Answer 1

The real reason that your SQL command doesn't work is because Password should be surrounded by backticks (`) since it is a reserved string. I have had a similar problem in the past and it took me a long time until I realised my mistake.

You should also use parameters to avoid SQL injection. In the end, your code should look like this:

Using oCmd As New OleDbCommand("INSERT INTO `Users` (FirstName, LastName, Username, `Password`, Teacher) VALUES (@FirstName, @LastName, @Username, @Password, 0)", myConnection)

oCmd.Parameters.Add("@FirstName", OleDBType.VarChar, 63).Value = txtFirstName.Text
oCmd.Parameters.Add("@LastName", OleDBType.VarChar, 63).Value = txtLastName.Text
oCmd.Parameters.Add("@Username", OleDBType.VarChar, 63).Value = txtUsername.Text
oCmd.Parameters.Add("@Password", OleDBType.VarChar, 63).Value = txtPassword.Text

The 63 when adding the parameters is there to describe how many characters the varchar can take. You should change this to the amount that the variables in your database use.