2 
    public void RegisterUser(string passw,string uname ,string fname ,string lname, string email)
{
    string strSql = @"INSERT INTO User (passw,uname,fname,lname,email) values ('" + passw + "','" + uname + "','" + fname + "','" + lname + "','" + email + "')";                                                           
    cn.Open();
    OleDbCommand cmd = new OleDbCommand(strSql,cn);
    int yy= cmd.ExecuteNonQuery();
    cn.Close();
    cn.Dispose();

}

no matter what i do i get the same error does anyone see here something wrong? or there is another creative way to solve this problem thanks

Improve this question
2

2 Answers 2

Reset to default
6

Your code here can change dynamically depending on the user input. And that is what causing the error.

Let me explain if any of your input fields contain an apostroph [ ' ] the sql breaks and has now an unclosed quote.

Not only that it also exposes your code to SQL-Injection Attacks.

so i suggest you use parameters for passing value as parameters are treated differenty and are safe as well as prevent SQL-Injection.

    public void RegisterUser(string passw,string uname ,string fname ,string lname, string email)
{
    string strSql = @"INSERT INTO User (passw,uname,fname,lname,email) values     (@passw,@uname,@fname,@lname,@email)";                                                           
    cn.Open();
    OleDbCommand cmd = new OleDbCommand(strSql,cn);
    cmd.Parameters.AddWithValue("@passw",passw);
    cmd.Parameters.AddWithValue("@uname",uname);
    cmd.Parameters.AddWithValue("@fname",fname);
    cmd.Parameters.AddWithValue("@lname",lname);
    cmd.Parameters.AddWithValue("@email",email);
    int yy= cmd.ExecuteNonQuery();
    cn.Close();
    cn.Dispose();
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

You are welcome. just to inform you that If it realy helped then you can accept the answer by ticking the (right) symbol on the left side of this answer.
0

In Oracle, user is a reserved word and INSERT INTO User ... generates ORA-00903: invalid table name.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.