This question already has answers here:
Syntax error when executing INSERT INTO statement
(4 answers)
Closed 8 years ago.
When I try cmd.ExecuteNonQuery() I get an error saying "Syntax error in INSERT INTO statement."
I posted this same problem yesterday... can someone help me again?
Private Sub btnadd1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnadd1.Click
Dim cmd As New OleDb.OleDbCommand
Dim Printlist1 As New DataTable
If Not con.State = ConnectionState.Open Then
con.ConnectionString = "Provider=Microsoft.Ace.OLEDB.12.0; Data Source=c:Database11.accdb"
con.Open()
cmd.Connection = con
End If
If Me.text1.Tag & "" = "" Then
cmd.CommandText = "INSERT INTO Printlist1(StickerCode, Description, Company, Department, Location, User, SerialNumber, DatePurchased, Tagable, Quantity, Brand, Model)" & _
" VALUES(#StickerCode, #Description, #Company, #Department, #Location, #User, #SerialNumber, #DatePurchased, #Tagable, #Quantity, #Brand, #Model)"
cmd.Parameters.AddWithValue("#StickerCode", Me.text1.Text)
cmd.Parameters.AddWithValue("#Description", Me.text2.Text)
cmd.Parameters.AddWithValue("#Company", Me.text3.Text)
cmd.Parameters.AddWithValue("#Department", Me.text4.Text)
cmd.Parameters.AddWithValue("#Location", Me.text5.Text)
cmd.Parameters.AddWithValue("#User", Me.text6.Text)
cmd.Parameters.AddWithValue("#SerialNumber", Me.text7.Text)
cmd.Parameters.AddWithValue("#DatePurchased", Me.text8.Text)
cmd.Parameters.AddWithValue("#Tagable", Me.text9.Text)
cmd.Parameters.AddWithValue("#Quantity", Me.text10.Text)
cmd.Parameters.AddWithValue("#Brand", Me.text11.Text)
cmd.Parameters.AddWithValue("#Model", Me.text12.Text)
cmd = New OleDbCommand(cmd.CommandText, con)
cmd.ExecuteNonQuery()
Else
cmd.CommandText = "UPDATE Printlist1 " & _
" SET StickerCode='" & Me.text1.Text & _
", Description='" & Me.text2.Text & "'" & _
", Company='" & Me.text3.Text & "'" & _
", Department='" & Me.text4.Text & "'" & _
", Location='" & Me.text5.Text & "'" & _
", User='" & Me.text6.Text & "'" & _
", SerialNumber='" & Me.text7.Text & "'" & _
", DatePurchased='" & Me.text8.Text & "'" & _
", Tagable='" & Me.text9.Text & "'" & _
", Quantity='" & Me.text10.Text & "'" & _
", Brand='" & Me.text11.Text & "'" & _
", Model='" & Me.text12.Text & "'" & _
" WHERE text1=" & Me.text1.Tag
cmd.ExecuteNonQuery()
End If
RefreshData()
Me.btnclear1.PerformClick()
con.Close()
End Sub
Sticker Code Description Company Department Location User Serial Number Date Purchased Tagable Quantity Brand Model
User is a reserved word in Sql try placing it in Square Brackets like this [User]
cmd.CommandText = "INSERT INTO Printlist1(StickerCode, [Description], Company, Department, Location, [User], SerialNumber, DatePurchased, Tagable, Quantity, Brand, Model)" & _
" VALUES(#StickerCode, #Description, #Company, #Department, #Location, #User, #SerialNumber, #DatePurchased, #Tagable, #Quantity, #Brand, #Model)"
Related
pls help solve me this question.. im very new to this
i can't add new employee to the table employee.. whenever i try to add it shows syntax error insert into statement
Public Class AddNewEmployee
Dim dr As OleDbDataReader
Dim da As OleDbDataAdapter
Dim ds As DataSet
Dim conn As New OleDbConnection(My.Settings.rayshadatabaseConnectionString)
Dim cmd As OleDbCommand
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
conn.Open()
Try
Dim str As String = "INSERT INTO employee" _
& "(Employee Name, IC Number, HP Number, Address)" _
& " Values (" _
& "'" & txtEmployeeName.Text & "', " _
& "'" & txtIC_Number.Text & "'," _
& "'" & txtHP_Number.Text & "'," _
& "'" & txtAddress.Text & "')"
cmd = New OleDbCommand(str, conn)
Dim i As Integer = cmd.ExecuteNonQuery()
If i > 0 Then
MessageBox.Show("Record Succesfully added.", "Process Completed", MessageBoxButtons.OK, MessageBoxIcon.Information)
Else
MessageBox.Show("Adding failed!", "Error", MessageBoxButtons.OK, MessageBoxIcon.Exclamation)
End If
Catch ex As Exception
MessageBox.Show(ex.Message)
Finally
conn.Close()
cmd.Dispose()
End Try
frmEmployee.loadR()
Me.Close()
End Sub
End Class
Replace this,
Dim str As String = "INSERT INTO employee" _
& "(Employee Name, IC Number, HP Number, Address)" _
& " Values (" _
& "'" & txtEmployeeName.Text & "', " _
& "'" & txtIC_Number.Text & "'," _
& "'" & txtHP_Number.Text & "'," _
& "'" & txtAddress.Text & "')"
with this,
Dim str As String = "INSERT INTO employee" _
& "([Employee Name], [IC Number], [HP Number], [Address])" _
& " Values (" _
& "'" & txtEmployeeName.Text & "', " _
& "'" & txtIC_Number.Text & "'," _
& "'" & txtHP_Number.Text & "'," _
& "'" & txtAddress.Text & "')"
Thanks
Manoj
I don't know where I should put the semicolon. Here's my code:
Try
cn.Open()
Dim query As String = "INSERT INTO CheckoutTable(PatientID,_Name,_Age,_Gender,_Phone,_Address,_Disease,_DateIN,_DateOUT,_Building,_RoomNo,_RoomType,_UnitPrice,_Status,_MASP,_Price) VALUES('" & txtPID.Text & "','" & txtName.Text & "','" & txtAge.Text & "','" & cmbGender.Text & "','" & txtPhone.Text & "','" & txtAddress.Text & "','" & txtDisease.Text & "',' " & txtDI.Text & " ',' " & txtDO.Text & " ','" & txtRT.Text & "','" & txtBuilding.Text & "','" & txtRN.Text & "',' " & txtMNS.Text & " ',' " & txtUnitPrice.Text & " ',' " & cmbStatus.Text & " ','" & txtPrice.Text & "')" & _
"DELETE From RegistrationTable where [_Name]='" & ListBox1.Text & "'" & _
"Select * from RegistrationTable"
Dim cmds As New OleDbCommand
With cmds
.CommandText = query
.Connection = cn
.ExecuteNonQuery()
End With
MsgBox("Checkout Success", MsgBoxStyle.Information)
cn.Close()
Catch ex As Exception
MsgBox(ex.Message)
End Try
Try
cn.Open()
Dim insertQuery as String = "INSERT INTO CheckoutTable(PatientID,_Name,_Age,_Gender,_Phone,_Address,_Disease,_DateIN,_DateOUT,_Building,_RoomNo,_RoomType,_UnitPrice,_Status,_MASP,_Price) " & _
"VALUES(#PatientID, #Name, #Age, #Gender, #Phone, #Address, #Disease , #DateIn, #DateOut, #Building, #RoomNo, #RoomType, #UnitPrice, #Status, #MASP, #Price) "
Dim deleteQuery as String = "DELETE From RegistrationTable where [_Name]= #RegName "
Dim selectQuery as String = "Select * from RegistrationTable"
Dim insertCmd As New OleDbCommand
Dim deleteCmd as New OleDbCommand
With insertCmd
.Connection = cn
.CommandText = insertQuery
.Parameters.AddWithValue("#PatientID", txtPID.Text)
.Parameters.AddWithValue("#Name", txtName.Text)
.Parameters.AddWithValue("#Age", txtAge.Text)
.Parameters.AddWithValue("#Gender", cmbGender.Text)
.Parameters.AddWithValue("#Phone", txtPhone.Text)
.Parameters.AddWithValue("#Address", txtAddress.Text)
.Parameters.AddWithValue("#Disease", txtDisease.Text)
.Parameters.AddWithValue("#DateIn", txtDI.Text)
.Parameters.AddWithValue("#DateOUT", txtDO.Text)
.Parameters.AddWithValue("#Building", txtBuilding.Text)
.Parameters.AddWithValue("#RoomNo", txtRN.Text)
.Parameters.AddWithValue("#RoomType", txtRT.Text)
.Parameters.AddWithValue("#UnitPrice", txtUnitPrice.Text)
.Parameters.AddWithValue("#MASP", txtMNS.Text)
.Parameters.AddWithValue("#Status", cmbStatus.Text)
.Parameters.AddWithValue("#Price", txtPrice.Text)
.ExecuteNonQuery()
End With
With deleteCmd
.Connection = cn
.CommandText = deleteQuery
.Parameters.AddWithValue("#RegName", ListBox1.Text)
.ExecuteNonQuery()
End With
MsgBox("Checkout Success", MsgBoxStyle.Information)
cn.Close()
Catch ex As Exception
MsgBox(ex.Message)
End Try
#StingyJack is right, I could break your db 6 ways from sunday if I had access to your interface as you're currently not doing ANYTHING to mitigate SQL injection. In addition to parameterizing your queries to protect against injection, I removed the need to HAVE a ; at the end of each DML statement in your query, by breaking them into separate commands. The select and displaying it's results, I leave to you.
When I try to edit and update the data in datagriview it comes up with an error message saying Operator '&' is not defined for type 'TextBox' and string "".
please help. Thanks
Here is my code
Private Sub btnaddrecord_Click(sender As Object, e As EventArgs) Handles btnaddrecord.Click
Dim cmd As New OleDb.OleDbCommand
If Not cnn.State = ConnectionState.Open Then
cnn.Open()
End If
cmd.Connection = cnn
If Me.IdentificationNotest.Tag & "" = "" Then
cmd.CommandText = "INSERT INTO vehicledefects(Codenumber, vehiclereg, datereported, defects1, repaired1, defects2, repaired2, defects3, repaired3, datefixed) " & _
" VALUES(" & Me.IdentificationNotest.Text & ",'" & Me.vehiclereg.Text & "','" & Me.datereported.Text & "','" & Me.defects1.Text & "','" & Me.repaired1.Text & "','" & _
Me.defects2.Text & "','" & Me.repaired2.Text & "','" & _
Me.defects3.Text & "','" & Me.repaired3.Text & "','" & _
Me.datefixed.Text & "')"
cmd.ExecuteNonQuery()
Else
cmd.CommandText = "UPDATE vehicledefects" & _
" SET Codenumber =" & Me.IdentificationNotest.Text & _
", vehiclereg ='" & Me.vehiclereg.Text & "'" & _
", datereported ='" & Me.datereported.Text & "'" & _
", defects1 ='" & Me.defects1.Text & "'" & _
", repaired1 ='" & Me.repaired1.Text & "'" & _
", defects2 ='" & Me.defects2.Text & "'" & _
", repaired2='" & Me.repaired2.Text & "'" & _
", defects3='" & Me.defects3.Text & "'" & _
", repaired3='" & Me.repaired3.Text & "'" & _
", datefixed='" & Me.datefixed.Text & "'" & _
" WHERE Codenumber =" & Me.IdentificationNotest.Tag
cmd.ExecuteNonQuery()
End If
refreshdata()
Me.btnclear.PerformClick()
cnn.Close()
datefixed.Text = ""
IdentificationNotest.Text = ""
End Sub
In the future, you should also post the line number the error is being thrown on.
The error is telling you that you're doing something like:
dim myString as String = myTextBox & " some more text"
in this case, you would need to do:
dim myString as String = myTextBox.Text & " some more text"
In the code you posted, I wasn't able to find an instance of this - so perhaps its somewhere else in the code. Though, the code was hard to read so I may have missed it.
You may also be aware that this code is susceptible to SQL Injection attacks
I have had the following error for a couple days and can't find the error. Can anyone please help me with this and ideally re-write the code with the solution.
Private Sub btnAdd_Click(sender As Object, e As EventArgs) Handles btnAdd.Click
Dim cmd As New OleDb.OleDbCommand
If Not cnn.State = ConnectionState.Open Then
'The line of code below opens the connection to the database if it isnt open
cnn.Open()
End If
cmd.Connection = cnn
'Check whether to add new or update
If Me.txtItemID.Tag & "" = "" Then
'Add new
'The line of coding below adds data to table
cmd.CommandText = "INSERT INTO Product ([Item ID], [Item Name], [Item Type], [Quantity], [Min Shelf Stock], [Purchase Price], [Note]) " & _
" VALUES (" & Me.txtItemID.Text & ",'" & Me.txtItemName.Text & "','" & _
Me.cboItemType.Text & "','" & Me.txtQuantity.Text & "','" & _
Me.txtMinShelfStock.Text & "','" & Me.txtPurchasePrice.Text & "','" & _
Me.txtNote.Text & "')"
cmd.ExecuteNonQuery()
Else
'Update data in the table
cmd.CommandText = "UPDATE Product " & _
" SET Item ID=" & Me.txtItemID.Text & _
", Item Name='" & Me.txtItemName.Text & "'" & _
", Item Type='" & Me.cboItemType.Text & "'" & _
", Quantity='" & Me.txtQuantity.Text & "'" & _
", Min Shelf Stock='" & Me.txtMinShelfStock.Text & "'" & _
", Purchase Price='" & Me.txtPurchasePrice.Text & "'" & _
", Note='" & Me.txtNote.Text & "'" & _
" WHERE Item ID=" & Me.txtItemID.Tag
cmd.ExecuteNonQuery()
End If
'Refresh data in list
RefreshData()
'Clear the form
Me.btnClear.PerformClick()
'The code below closes the connection to the database
cnn.Close()
End Sub
Try This...
cmd.CommandText = "INSERT INTO Product ([Item Id], [Item Name], [Item Type], [Quantity], [Min Shelf Stock], [Purchase Price], [Note]) VALUES (#id, #name, #iType, #quantity, #minshelfstock, #price, #note)"
cmd.Paramaters.AddWithValue("#id", txtItemId.Text)
cmd.Paramaters.AddWithValue("#name", txtItemName.Text)
cmd.Paramaters.AddWithValue("#iType", cboItemType.Text)
cmd.Paramaters.AddWithValue("#quantity", txtQuantity.Text)
cmd.Paramaters.AddWithValue("#minshelfstock", txtMinShelfStock.Text)
cmd.Paramaters.AddWithValue("#price", txtPurchasePrice.Text)
cmd.Paramaters.AddWithValue("#note", txtNote.Text)
Hope this helps
RoDiT
The first thing that I notice is that you have Quantity, Price and Min Shelf Stock surrounded by quotes in your select statement like ,'" & Me.txtQuantity.Text & "', which would submit them as text, but if these fields in your table are number formats of some sort then they have to be entered as numbers ," & Me.txtQuantity.Text & ",.
I input the Right dataSource but it didnt i cant fixed the problem cmd.ExecuteNonQuery()
saying:
Syntax error in INSERT INTO statement.
Code:
Private Sub btnadd1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnadd1.Click
Dim cmd As New OleDb.OleDbCommand
Dim Printlist1 As New DataTable
If Not con.State = ConnectionState.Open Then
con.ConnectionString = "Provider=Microsoft.Ace.OLEDB.12.0; Data Source=c:Database11.accdb"
con.Open()
cmd.Connection = con
End If
If Me.text1.Tag & "" = "" Then
cmd.CommandText = "INSERT INTO Printlist1(StickerCode, Description, Company, Department, Location, User, SerialNumber, DatePurchased, Tagable, Quantity, Brand, Model)" & _
" VALUES(" & Me.text1.Text & ",'" & Me.text2.Text & "','" & _
Me.text3.Text & "','" & Me.text4.Text & "','" & Me.text5.Text & "','" & _
Me.text6.Text & "','" & Me.text7.Text & "','" & Me.text8.Text & "','" & _
Me.text9.Text & "','" & Me.text10.Text & "','" & Me.text11.Text & "','" & _
Me.text12.Text & "')"
cmd = New OleDbCommand(cmd.CommandText, con)
cmd.ExecuteNonQuery()
Else
cmd.CommandText = "UPDATE Printlist1 " & _
" SET StickerCode='" & Me.text1.Text & _
", Description='" & Me.text2.Text & "'" & _
", Company='" & Me.text3.Text & "'" & _
", Department='" & Me.text4.Text & "'" & _
", Location='" & Me.text5.Text & "'" & _
", User='" & Me.text6.Text & "'" & _
", SerialNumber='" & Me.text7.Text & "'" & _
", DatePurchased='" & Me.text8.Text & "'" & _
", Tagable='" & Me.text9.Text & "'" & _
", Quantity='" & Me.text10.Text & "'" & _
", Brand='" & Me.text11.Text & "'" & _
", Model='" & Me.text12.Text & "'" & _
" WHERE text1=" & Me.text1.Tag
cmd.ExecuteNonQuery()
End If
RefreshData()
Me.btnclear1.PerformClick()
con.Close()
End Sub
Use a parameterized query, like this:
cmd.CommandText = "INSERT INTO Printlist1(StickerCode, Description, Company, Department, Location, User, SerialNumber, DatePurchased, Tagable, Quantity, Brand, Model)" & _
" VALUES(#StickerCode, #Description, #Company, #Department, #Location, #User, #SerialNumber, #DatePurchased, #Tagable, #Quantity, #Brand, #Model)"
cmd.Parameters.AddWithValue("#StickerCode", Me.Text1.Text)
cmd.Parameters.AddWithValue("#Description", Me.Text2.Text)
cmd.Parameters.AddWithValue("#Company", Me.Text3.Text)
cmd.Parameters.AddWithValue("#Department", Me.Text4.Text)
cmd.Parameters.AddWithValue("#Location", Me.Text5.Text)
cmd.Parameters.AddWithValue("#User", Me.Text6.Text)
cmd.Parameters.AddWithValue("#SerialNumber", Me.Text7.Text)
cmd.Parameters.AddWithValue("#DatePurchased", Me.Text8.Text)
cmd.Parameters.AddWithValue("#Tagable", Me.Text9.Text)
cmd.Parameters.AddWithValue("#Quantity", Me.Text10.Text)
cmd.Parameters.AddWithValue("#Brand", Me.Text11.Text)
cmd.Parameters.AddWithValue("#Model", Me.Text12.Text)
Note: It is best to keep the order of the parameters in line with the query, as databases like Microsoft Access will not execute the query correctly if the order is altered.
It is likely that one of your Me.textN.Text values has an apostrophe in it or some other unexpected character that is breaking your SQL quotes. The solution to this is to use parametized queries and/or stored procedure instead.
This incidentally, will also protect you form the SQL Injection attacks that take advantage of the same shortcoming in composing SQL commands as strings in the client application.
(NOTE: I am assuming the Me.text1.Text as the StickerCode is a number. Otherwise that's the problem as you are not quoting it the way you do with the other columns.)
First line is missing as '
...
"SET StickerCode='" & Me.text1.Text & "'" & _
...
You are missing single quotes around your first value. Try
" VALUES('" & Me.text1.Text & "','" & Me.text2.Text & "','" & _
Me.text3.Text & "','" & Me.text4.Text & "','" & Me.text5.Text & "','" & _
Me.text6.Text & "','" & Me.text7.Text & "','" & Me.text8.Text & "','" & _
Me.text9.Text & "','" & Me.text10.Text & "','" & Me.text11.Text & "','" & _
Me.text12.Text & "')"