ASP.Net insert data from Textbox to a database

Question

Im trying to insert data from a textbox to my database, and it throwing me an exception.

Exception Details: System.Data.SqlClient.SqlException: Incorrect syntax near ' test'.

a few details before I presents my code though : my database called : Movies my table data called: Users and I have columns such as : "FirstName", "LastName" etc...

protected void Register_Click(object sender, EventArgs e) { SqlConnection connection = new SqlConnection("Data Source=MICROSOF-58B8A5\\SQL_SERVER_R2;Initial Catalog=Movie;Integrated Security=True");

        connection.Open();
        //FirstName***********
        string firstName = FirstNameTextBox.Text;
        string sqlquery = ("INSERT INTO [Users] (FirstName) VALUES (' " +FirstNameTextBox.Text + " ' ");

        SqlCommand command = new SqlCommand(sqlquery , connection);
        command.Parameters.AddWithValue("FirstName", firstName);
        //LastName************
        string lastName = LastNameTextBox.Text;
        sqlquery = ("INSERT INTO [Users] (LastName) VALUES (' " + LastNameTextBox.Text+ " ' ");
        command.Parameters.AddWithValue("LastName", lastName);
        //Username*************
        string username = UsernameTextBox.Text;
        sqlquery = ("INSERT INTO [Users] (Username) VALUES (' " + UsernameTextBox.Text+ " ' ");
        command.Parameters.AddWithValue("UserName", username);
        //Password*************
        string password = PasswordTextBox.Text;
        sqlquery = ("INSERT INTO [Users] (Password) VALUES (' " + PasswordTextBox.Text + " ' ");
        command.Parameters.AddWithValue("Password", password);
        if (PasswordTextBox.Text == ReTypePassword.Text)
        {
            command.ExecuteNonQuery();
        }
        else
        {
            ErrorLabel.Text = "Sorry, You didnt typed your password correctly.  Please type again.";
        }

        connection.Close();
    }

Answer 1

Use one query and use @ParamName :

    string sqlquery = "INSERT INTO [Users] (FirstName,LastName,UserName,Password) VALUES (@FirstName,@LastName,@UserName,@Password)";
    SqlCommand command = new SqlCommand(sqlquery , connection);

    //FirstName***********
    string firstName = FirstNameTextBox.Text;
    command.Parameters.AddWithValue("FirstName", firstName);
    //LastName************
    string lastName = LastNameTextBox.Text;     
    command.Parameters.AddWithValue("LastName", lastName);
    //Username*************
    string username = UsernameTextBox.Text;     
    command.Parameters.AddWithValue("UserName", username);
    //Password*************
    string password = PasswordTextBox.Text;    
    command.Parameters.AddWithValue("Password", password);

    ...........

Answer 2

Maybe this code is shorter:

sqlcommand command=new sqlcommand("insert into[Users](FirstName,LastName,UserName,Password) values('"+FirstNameTextBox.Text+"','"+LastNameTextBox.Text+"','"+UsernameTextBox.Text+"','"+PasswordTextBox.Text+"')",connection);
command.ExecuteNonQuery();

Answer 3

Add the following, too:

string sqlquery = "INSERT INTO [Users] (FirstName,LastName,Username,Password) VALUES ( " +FirstNameTextBox.Text + " ,";
sqlquery +=  LastNameTextBox.Text+ ",";
sqlquery +=   UsernameTextBox.Text+ ",";
sqlquery +=  PasswordTextBox.Text + " )";
SqlCommand command = new SqlCommand(sqlquery , connection);

Answer 4

The problem seems to be that you are creating a weird SQL instruction. It's real value is INSERT INTO [Users] (FirstName) VALUES ('(theValue)') and you are not adding the rest of the values (last name, etc). The rest of the code does nothing because the query does not include the rest of the parameters.