Incorrect syntax near '.'. - C#

Question

When I attempt to run the following the code,I got an error.What might be the problem?

protected void Button1_Click(object sender, EventArgs e)
 {
        SqlConnection cnn = new SqlConnection("server=.; database=YEDEK; Integrated Security=True; ");
        cnn.Open();
        SqlCommand cmd = cnn.CreateCommand();
        cmd.CommandText = "insert Personel (Name,Surname,Tel) values  ('"+txtName.Text+"','"+ txtSurname.Text+"','"+txtTel.Text+"')  ";
        SqlParameter p1 = new SqlParameter("txtName.Text", SqlDbType.NVarChar);
        p1.Value = "txtName.Text";
        cmd.Parameters.Add(p1);
        SqlParameter p2 = new SqlParameter("txtSurname.Text", SqlDbType.NVarChar);
        p2.Value = "txtSurname.Text";
        cmd.Parameters.Add(p2);
        SqlParameter p3 = new SqlParameter("txtTel.Text", SqlDbType.Char);
        p3.Value = "txtTel.Text";
        cmd.Parameters.Add(p3);
        cmd.ExecuteNonQuery();
        cnn.Close();

 } 

Here is my error message:

 Incorrect syntax near '.'.
 Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 
 Exception Details:  System.Data.SqlClient.SqlException: Incorrect syntax near '.'.

 Source Error: 

 Line 44:             //cmd.Parameters.Add(p3);
 Line 45: 
 Line 46:             cmd.ExecuteNonQuery();
 Line 47:         //} 
 Line 48:         //catch (SqlException ex)

Answer 1

Your parameters are not in the correct syntax.

A proper parameter would be like so:

 new SqlParameter("@SomeParamName", SqlDbType.VarChar)

It looks like you are trying to directly insert the values from your controls into the parameter. In this situation you would do this:

  var param = new SqlParameter("@Name", SqlDbType.VarChar);
  param.Value = txtName.Text;

The parameter names should match your stored procedure definition.

Answer 2

You either should use SqlParameter or concatenate string. The former is better, as it prevents SQL injection attack. Also, do not quote properties of controls you're using (like p1.Value = "txtName.Text").

Below is how it can be done proper way:

    SqlConnection cnn = new SqlConnection("server=.; database=YEDEK; Integrated Security=True; ");
    cnn.Open();
    SqlCommand cmd = cnn.CreateCommand();
    cmd.CommandText = "INSERT INTO Personel (Name, Surname, Tel) VALUES  (@Name, @Surname, @Tel)  ";
    SqlParameter p1 = new SqlParameter("@Name", SqlDbType.NVarChar);
    p1.Value = txtName.Text;
    cmd.Parameters.Add(p1);
    SqlParameter p2 = new SqlParameter("@Surname", SqlDbType.NVarChar);
    p2.Value = txtSurname.Text;
    cmd.Parameters.Add(p2);
    SqlParameter p3 = new SqlParameter("@Tel", SqlDbType.Char);
    p3.Value = txtTel.Text;
    cmd.Parameters.Add(p3);
    cmd.ExecuteNonQuery();
    cnn.Close();

Answer 3

cmd.CommandText = "insert Personel (Name,Surname,Tel) values (@Name, @Surname, @Tel) ";

Looks more logical, and you have to make sure your sommand parameters match the variable names as well.

Answer 4

Tejs is correct, remove DOTS from your paramnames.

You should also change your insert statement to (I removed the dots too)

cmd.CommandText = "insert Personel (Name,Surname,Tel) 
values(@txtNameText,@txtSurnameText,@txtTelText)  ";

Please rename those params, they are badly named!

Answer 5

I think the problem here is that you already build a sql statement without parameters with this line of code:

cmd.CommandText = "insert Personel (Name,Surname,Tel) values  ('"+txtName.Text+"','"+ txtSurname.Text+"','"+txtTel.Text+"')  ";

This results is a directly working sql statement (without parameters):

"insert Personel (Name,Surname,Tel) values ('ValueOfTxtName','ValueOfTxtSurname','ValueOfTxtName' )"

You need to replace your sql statement to something like this:

"insert Personel (Name,Surname,Tel) values ( @Name,@Surname,@Tel)"

and then add the parameters conform to Tejs suggestion.