Insert records using ExecuteNonQuery, showing exception that invalid column name

Question

I am using SQL Server 2008.

I want to insert records into a table using ExecuteNonQuery , for that I have written:

customUtility.ExecuteNonQuery("insert into furniture_ProductAccessories(Product_id, Accessories_id, SkuNo, Description1, Price, Discount) values(" + prodid + "," + strAcc + "," + txtSKUNo.Text + "," + txtAccDesc.Text + "," + txtAccPrices.Text + "," + txtAccDiscount.Text + ")");

& following is ExecuteNonQuery function:

    public static bool ExecuteNonQuery(string SQL)
    {
        bool retVal = false;

        using (SqlConnection con = new SqlConnection(System.Web.Configuration.WebConfigurationManager.ConnectionStrings["dbConnect"].ToString()))
        {
            con.Open();
            SqlTransaction trans = con.BeginTransaction();
            SqlCommand command = new SqlCommand(SQL, con, trans);
            try
            {
                command.ExecuteNonQuery();
                trans.Commit();
                retVal = true;
            }
            catch(Exception ex)
            {
                //HttpContext.Current.Response.Write(SQL + "<br>" + ex.Message);
                //HttpContext.Current.Response.End();
            }
            finally
            {
                // Always call Close when done reading.
                con.Close();
            }
            return retVal;
        }
    }

But it's showing exception that invalid column name to Description1 and even it's value which coming from txtAccDesc.Text . I have tried by removing Description1 column, other records are getting inserted successfully.

Answer 1

My psychic debugging powers are telling me you're entering in the value Description1 into the textbox txtAccDesc . When you concatenated the SQL string You failed to delimit the literal value.

eg

"," + txtAccDesc.Text + "," +

Should be

", '" + txtAccDesc.Text + "', " + 

However this is a bad solution because it opens you up to SQL injection attacks (not to mention you'd need to deal with quotes and commas in your literals) you should use parametrized queries instead.

eg (Warning written in notepad and may not compile)

string SQL = "insert into furniture_ProductAccessories(Product_id,Accessories_id,SkuNo,Description1,Price,Discount) values(@Product_id,@Accessories_id,@SkuNo,@Description1,@Price,@Discount)"

SqlParameters[] parameters = new SQLParameters[6];
parameters[0] = new SqlParameter("@Product_id", SqlDbType.Int, prodid );
parameters[1] = new SqlParameter("@Accessories_id", SqlDbType.VarChar, strAcc );
parameters[2] = new SqlParameter("@SkuNo", SqlDbType.VarChar, txtSKUNo);
parameters[3] = new SqlParameter("@Description1", SqlDbType.VarChar, txtAccDesc.Text);
parameters[4] = new SqlParameter("@Price", SqlDbType.Money, txtAccPrices.Text);
parameters[5] = new SqlParameter("@Discount", SqlDbType.Money, txtAccDiscount.Text);

customUtility.ExecuteNonQuery(sql, paramters)

public static bool ExecuteNonQuery(string SQL, SqlParameters[] parameters)
{
    bool retVal = false;

    using (SqlConnection con = new SqlConnection(System.Web.Configuration.WebConfigurationManager.ConnectionStrings["dbConnect"].ToString()))
    {
        con.Open();
        SqlTransaction trans = con.BeginTransaction();
        SqlCommand command = new SqlCommand(SQL, con, trans);
        cmd.parameters.AddRange(parameters);
        try
        {
            command.ExecuteNonQuery();
            trans.Commit();
            retVal = true;
        }
        catch(Exception ex)
        {
            //HttpContext.Current.Response.Write(SQL + "<br>" + ex.Message);
            //HttpContext.Current.Response.End();
        }
        // finally
        //{
            //Always call Close when done reading.
            //con.Close(); Using already does this, so need for this
        //}
        return retVal;
    }
}