joe_pool_is Posted September 17, 2005 Posted September 17, 2005 My code:strSql = "INSERT INTO people (Name, Email, Username, Password, Website, Dated) " + "VALUES (\"" + strName + "\", \"" + strEmail + "\", \"" + strUserId + "\", \"" + strPassword + "\", \"" + strUrl + "\", \"" + strDate + "\");"; Command1 = new OleDbCommand(strSql, Connection1); try { Connection1.Open(); Command1.ExecuteNonQuery(); } catch (Exception ex) { lblCreateMsg.Text = "Insert Database error:<br />"; lblCreateMsg.Text += ex.Message + "<br />" + strSql; return; } finally { Connection1.Close(); }produces this SQL statement:INSERT INTO people (Name, Email, Username, Password, Website, Dated) VALUES ("John Doe", "[email="jdoe123@domain.com"]jdoe123@domain.com[/email]", "jdoe123", "6184D6847D594EC75C4C07514D4BB490D5E166DF", "", "9/17/2005 2:07:06 PM");but catches this error that is written to lblCreateMsg:Syntax error in INSERT INTO statement.Am I using a reserved word? What would cause this problem? Quote Avoid Sears Home Improvement
bri189a Posted September 17, 2005 Posted September 17, 2005 Your string names need to be: VALUES('Joe') not VALUES("Joe") Also, you are leave yourself wide open for SQL Injection attacks. If you use parameters (and you can use them on in-line SQL too; not just stored procedures), you won't have to worry about these syntaxtical errors or SQL injection attacks. Quote
joe_pool_is Posted September 17, 2005 Author Posted September 17, 2005 Your string names need to be: VALUES('Joe') not VALUES("Joe")Ah! Simple stuff. It so often turns out that way, too. Thanks. Also' date=' you are leave yourself wide open for SQL Injection attacks. If you use parameters (and you can use them on in-line SQL too; not just stored procedures), you won't have to worry about these syntaxtical errors or SQL injection attacks.[/quote']I didn't know Access used parameters. Are they stored in the Access database, or constructed "on the fly" in my code? If you know of any good sites that teach this, I'd be grateful. Quote Avoid Sears Home Improvement
joe_pool_is Posted September 17, 2005 Author Posted September 17, 2005 Your string names need to be: VALUES('Joe') not VALUES("Joe")Poo-doo! This time I got:Insert Database error: Syntax error in INSERT INTO statement. INSERT INTO people (Name, Email, Username, Password, Website, Dated) VALUES ('John Doe', 'jdoe123@domain.com', 'jdoe123', '6184D6847D594EC75C4C07514D4BB490D5E166DF', '', '9/17/2005 4:27:29 PM'); Quote Avoid Sears Home Improvement
Diesel Posted September 18, 2005 Posted September 18, 2005 Put brackets around the password and name fields. This defines them as fields, in case they are actually keywords Make sure the password data can actually fit into the field. And Access takes a different default date format than the one you are displaying. Either change the format of the column in Access or the format you are inserting into the database. Search these forums for a little tutorial on using parameters to create sql commands. I believe plausiblydamp wrote the post. Quote
Diesel Posted September 18, 2005 Posted September 18, 2005 And don't catch System.Exceptions! Or at least catch a more specific exception before it try { } catch (System.Data.Oledb.OledbException dbe) { } catch (Exception e) { } Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.