0

so i have this codes but it gets a wrong syntax error.. i dont know whats wrong can anyone help me?? im a newbee in VB. programming

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click


    Try
        Dim SqlQuery = "INSERT INTO sample (FirstName,MiddleName,LastName,Gender,age,Year Level,Date of birth,Date Enrolled,Citezenship,Religion,Address,Telephone NO,Average Grade,Father,Fathers Occupation,Fathers Address,Mother,Mothers Occupation,Mothers Address,Guardian,Guardians Address,Family Income,Payed Amount,Balance) VALUES ('" & txtfname.Text & "','" & txtmname.Text & "','" & txtlname.Text & "','" & combosex.Text & "','" & comboage.Text & "','" & comboyear.Text & "','" & txtdateofbirth.Text & "','" & txtdateenrolling.Text & "','" & txtcitezen.Text & "','" & txtreligion.Text & "','" & txtstudentadd.Text & "','" & txtnumber.Text & "','" & txtgrade.Text & "','" & txtfather.Text & "','" & txtfatherocc.Text & "','" & txtfatheradd.Text & "','" & txtmother.Text & "','" & txtmotherocc.Text & "','" & txtmotheradd.Text & "','" & txtguardian.Text & "','" & txtguardianadd.Text & "','" & txtincome.Text & "','" & txtpayment.Text & "','" & TextBox2.Text & "')"
        Dim sqlcommand As New OleDbCommand
        With sqlcommand
            .CommandText = SqlQuery
            .Connection = conn
            .ExecuteNonQuery()
        End With
        MsgBox("one record succesfull added")

    Catch ex As Exception
        MsgBox(ex.ToString)
    End Try
End Sub
Improve this question
2
  • whats the exception msg? Commented Jan 31, 2014 at 14:53
  • System.data.oledb.oledbException:sysntax error in INSERT INTO statement. at System.data.oledb.oledbcommand.executeCommandTextErrorHandling(oledbHresult hr) at system.data.oledb.oledbcommand.executeCommandTextForSingleResult( tagDparams dbParams,Object&executeResult) at System.data.Oledb.OledbCommand.ExecuteCommand(command behavior behavior,Object&execute result) at system.data.oledb.oledbcommand.executeraderInternal(commandBehavior behavior,string method atsystem.oledb.oledbcommand.executenonquery() Commented Feb 3, 2014 at 12:36

2 Answers 2

Reset to default
1

This is most likely because of the SQL injection vulnerability you're exposing. Notice how you're treating user input:

"... VALUES ('" & txtfname.Text & "', ..."

This may look like you're just putting a data value in the query, but what you're actually doing is treating the user input as executable code. Any user input with database-reserved characters will cause problems. For example, if an input value has a single quote (such as the phrase "don't use SQL injectable code") then the resulting query you're building is:

"... VALUES ('don't use SQL injectable code', ..."

Naturally this will result in a syntax error because there's a t after a string literal, which isn't valid SQL.

Instead of treating user input as executable code, treat it as data values. Use SQL parameters to add those values to your query. Something like this:

' replace each concatenated string with a parameter placeholder:
Dim SqlQuery = "... VALUES (@fname, ..."

Dim sqlcommand As New OleDbCommand
With sqlcommand
    .CommandText = SqlQuery
    .Connection = conn

    ' add a parameter for each placeholder:
    .Parameters.AddWithValue("@fname", txtfname.Text)

    .ExecuteNonQuery()
End With
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

sir.. it still doesnt work.. :( i paramitised all but im still getting the error.. (sorry for the english)
@user3242798: What is the actual exception you're seeing? What is the text of the query that's causing the error?
this is the error System.data.oledb.oledbException:sysntax error in INSERT INTO statement. at System.data.oledb.oledbcommand.executeCommandTextErrorHandling(oledbHresult hr) at system.data.oledb.oledbcommand.executeCommandTextForSingleResult( tagDparams dbParams,Object&executeResult) at System.data.Oledb.OledbCommand.ExecuteCommand(command behavior behavior,Object&execute result) at system.data.oledb.oledbcommand.executeraderInternal(commandBehavior behavior,string method atsystem.oledb.oledbcommand.executenonquery()
@user3242798: It looks like your column names have spaces in them. Does your database engine allow that? I'm guessing it doesn't. You'll need to qualify those names as database objects. In MS SQL Server that would mean surrounding them with square brackets, such as: [Date of birth].
but im not using MS SQL ? im using Acces Databes
|
0

Without seeing the exception message its difficult say what is exactly wrong.... but at a guess I would say you are inserting stings where the db is expecting integers or dates. You need to cast your data in the type required by each field.

You are also open to sql injection. Try to paramatise your data.

Improve this answer

1 Comment

System.data.oledb.oledbException:sysntax error in INSERT INTO statement. at System.data.oledb.oledbcommand.executeCommandTextErrorHandling(oledbHresult hr) at system.data.oledb.oledbcommand.executeCommandTextForSingleResult( tagDparams dbParams,Object&executeResult) at System.data.Oledb.OledbCommand.ExecuteCommand(command behavior behavior,Object&execute result) at system.data.oledb.oledbcommand.executeraderInternal(commandBehavior behavior,string method atsystem.oledb.oledbcommand.executenonquery()

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.