0

hello all this seems to be my problem I have a table in mysql and am making a c# app when trying to insert i get a You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'OIL COMPANY)' at line 1 which is my companyVal. it will insert with one value and a default for all others but i add the second value it errors out

        string ConnectionString2 = ConfigurationSettings.AppSettings["ConnectionString2"];
        MySqlConnection connection2;
        connection2 = new MySqlConnection(ConnectionString2);
        connection2.Open();
        MySqlCommand command = new MySqlCommand("INSERT INTO spt_proposal     (lab_Prop_Id,customer_Name) VALUE (" + a + "," + companyVal + ")", connection2);
        command.ExecuteNonQuery();
        connection2.Close();

Brent

Improve this question

4 Answers 4

Reset to default
5

Don't do this to start with:

// I split the line
MySqlCommand command =
    new MySqlCommand("INSERT INTO spt_proposal lab_Prop_Id,customer_Name) "
        "VALUE (" + a + "," + companyVal + ")", connection2);

That opens you up to SQL injection attacks, as well as making your code harder to understand by mixing code and data, and causing potential problems for conversions (particularly for dates and times).

Instead, use a parameterized SQL statement to give the values to the database.

While you could just add quotes, you absolutely should not do so. Bad data (whether deliberately malicious or not in variables a and b could be a serious security risk. Just don't do it.

You also need to change VALUE to VALUES, but I'd only do that after moving to parameterized SQL. Oh, and use a using statement to automatically dispose of the command and the connection, so you don't leak resources if an exception is thrown.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you I will look at parameterized queries
@bmorrison1982: You should make that a top priority. I would seriously recommend that you don't work on any other code while you've still get queries like this.
1

You are missing quotes round your strings and VALUE should be VALUES:

string sql = "INSERT ... VALUES ('" + a + "','" + companyVal + "')";

Also I'd advise you to use parameterized queries.

Improve this answer

1 Comment

Thank you I will look at parameterized queries
0

Guessing here, is the column customer_Name a string/text column? I don't have much experience with mySQL but with SQL Server strings always have to be surrounded by ticks ('). So something like this might work:

INSERT INTO spt_proposal     (lab_Prop_Id,customer_Name) VALUE (" + a + ",'" + companyVal + "')", connection2);

However, this is generally considered "bad form" and a slightly better alternative is using String.Format or even (much much) better is parameterized SQL.

Improve this answer

1 Comment

Thank you I will look at parameterized queries
0

Change your command text to be parameterized:

var commandText = "INSERT INTO spt_proposal(lab_Prop_Id,customer_Name)" +
  " VALUES(?lab, ?cust)";

var command = new MySqlCommand(commandText, connection2);
command.Parameters.Add("?lab", MySqlDbType.VarChar, 80).Value = a;
command.Parameters.Add("?cust", MySqlDbType.VarChar, 80).Value = companyVal;

command.ExecuteNonQuery();

I'm making the wild assumption that the field types are varchar(80), lol...

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.