0 
private void btn_add_store_Click(object sender, EventArgs e)
{
    cmd = new SqlCommand("Insert into Product values("+sa_code+",'" +pro_name+ "',"+quantity+",'"+price+"','"+notes+"')", con);
    con.Open();
        
    cmd.ExecuteNonQuery();
       
    con.Close();
}

enter image description here

Improve this question
6
  • Remove the ' symbol in the " " string parts. Commented Sep 15, 2020 at 12:47
  • 3
    @Malekel Welcome to StackOverflow. Please do not provide code as Image. Please include code and related error with StackTrace information. Commented Sep 15, 2020 at 12:48
  • 1
    You should copy an paste the code into the question instead of posting a picture. Also it could be an issue with one of the values you concatenate into the query which is why you should really use parameters instead. Commented Sep 15, 2020 at 12:48
  • You have wrong sql syntax. Insert into Products(code, proName...) values Commented Sep 15, 2020 at 12:50
  • You should also include the list of column names with the table to make sure you're inserting the values in the correct order. Commented Sep 15, 2020 at 12:50

2 Answers 2

Reset to default
4

Without seeing what the final composed value of the CommandText was, it is hard to comment specifically - as it will depend on the values being passed in, but ultimately the problem here is that it depends on the values being passed in. You should never concatenate values to create SQL, basically - it leaves you vulnerably to malicious SQL injection, or accidental bugs due to things like quotes in fields. There's also a secondary problem of the ambiguous column order. I cannot advocate strongly enough that you should use parameters here (and also name the columns); for example:

insert into Product (Code, ProductName, Quantity, Price, Notes)
values (@sa_code, @pro_name, @quantity, @price, @notes);

But then we need to pass those parameters in; a tool like Dapper would make this painless:

using Dapper; // at the top of the file
...
con.Execute(@"
insert into Product (Code, ProductName, Quantity, Price, Notes)
values (@sa_code, @pro_name, @quantity, @price, @notes);",
    new { sa_code, pro_name, quantity, price, notes });

Here, Dapper will deal with adding all the parameters for you; it will also handle opening and closing the connection on your behalf.

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Not having single quotes around sa_code may be correct if it's an integer.
@juharr actually, looking again at the image, I might have been wrong about the quote, but: I maintain that this is still the right fix :)
@juharr rephrased for clarity
Oh definitely they should include the columns, and use parameters, I'm just saying it's hard to know the exact issue since the quotes are balanced and we don't know the types or the values being concatenated (which might include single quotes that are not escaped)
I tried the solution but errors appear I modified the code and it worked successfully This is the code: cmd = new SqlCommand("Insert into Product(Code, Name, Quantity, Price, Notes)values('"+sa_code.Text+ "','"+pro_name.Text+"','"+ quantity.Text + "','"+price.Text+"','"+notes.Text+"')", con); con.Open(); cmd.ExecuteNonQuery(); con.Close();
|
0 
 cmd = new SqlCommand("Insert into Product(Code, Name, Quantity, Price, Notes)values('"+sa_code.Text+ "','"+pro_name.Text+"','"+ quantity.Text + "','"+price.Text+"','"+notes.Text+"')", con);
        con.Open();
        
        cmd.ExecuteNonQuery();
        con.Close();

//this is the right answer

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.