2

I was actually having a problem that my database access. I could not get connected to my SQL database. The error is

Syntax error in INSERT INTO statement

I have tried everything but I just need help. Here is my code:

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
    SqlDataSource1.InsertCommand = "INSERT INTO Information Page (RName, RCountry) VALUES ('" & TextBox1.Text & "', '" & TextBox2.Text & "')"
    Label4.Text = DateTime.Now.ToString("dd MMMM yyyy  h:mm")
End Sub

Protected Sub Button1_Click(ByVal sender As Object, ByVal e As EventArgs) Handles Button1.Click
    TextBox1.Text = " "
    TextBox2.Text = " "
End Sub
Protected Sub Button2_Click(ByVal sender As Object, ByVal e As EventArgs) Handles Button2.Click
    name = TextBox1.Text
    country = TextBox2.Text
    SqlDataSource1.Insert()
    Response.Redirect("http://localhost:49179/WebForm1.aspx")
End Sub
Improve this question
3
  • 2
    You don't specify what version of SQL you are using, however, your current query is invalid because there is a space in your table name. If you use MySQL you need to use back ticks: `Information Page` or if you are using Microsoft SQL server you need to use square brackets [Information Page] Commented Mar 10, 2016 at 17:32
  • What is the exact name of the table you want to insert into? The name (one string, possibly surrounded by `) should be the only thing between INTO and the bracketed column names. Commented Mar 10, 2016 at 17:32
  • As T.S. mentioned, and you are young, read about PARAMETERIZED SQL statements. By building strings you are WIDE-OPEN to sql-injection. Parameterized queries are basically place-holder values in the sql-statement, then you do SqlDataSource1.InsertCommand.Parameters.Add() to fill in with the value you want in the respective placeholder location. Read about and you will see PLENTY of examples to work with. Good luck with your learning. Commented Mar 11, 2016 at 14:47

1 Answer 1

Reset to default
1

Since you are 12 years old, I am not going to go deeply into why you need to parameterize your queries and how to do it. But here is what you can see yourself

INSERT INTO Information Page (RName, RCountry)

Lets take the piece above. When you send it as command to DB, DB SQL parser thinks... I am DB parser for a minute: Got "Insert"- good, got "Into" - good, got "Information" - check for table or view - not found - ERROR.

But if you would surround your "Information Page" with "[]" --> [Information Page]. Now compiler will go: Got "[" find "]" - get string in between - check for table or view - good...

Generally speaking, you're allowed to have table names with spaces in them but this is not really a good idea to use this ability

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.