1

I have a problem with executing a sql command to the DB. The command should add a new user to the 'users' table.

But when I run the code, I get this Exception on:

command.ExecuteNonQuery();

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.OleDb.OleDbException: Syntax error in INSERT INTO statement.

this is the code of the page - GetSignIn.cshtml :

@{
    string Uname = Request["name"];
    string userName = Request["userName"];
    string pass = Request["passWord"];
    string pic = Request["pic"];
    string privacy = Request["privacy"];

    if(pic == null)
    {
        pic = "Shared/defaultPic.jpg";
    }

    System.Data.OleDb.OleDbConnection connection = new System.Data.OleDb.OleDbConnection();
    connection.ConnectionString = @"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Users\Etay\Documents\Visual Studio 2012\WebSites\Josef\Shared\users.mdb";
    try
    {
        System.Data.OleDb.OleDbCommand command = new System.Data.OleDb.OleDbCommand();
        command.Connection = connection;
        connection.Open();
        command.CommandText = "INSERT INTO users (userName,passWord,Uname,pic) VALUES ('" + userName + "', '" + pass + "', '" + Uname + "', '" + pass + "', " + pic + ")";
        command.ExecuteNonQuery();
        Response.Redirect("../HtmlPage.html");
    }
    finally
    {
        connection.Close();
    }


}

What should I change in my code? Why is it happening? Where is the syntax error in the INSERT INTO?

Improve this question
2
  • 5
    Use parameterized queries. Not only will you prevent SQL Injection attacks, you'll be able to spot these kinds of issues more easily. Commented Apr 14, 2016 at 17:13
  • is pic field string? if is it string you most put value between cotation Commented Apr 14, 2016 at 18:40

7 Answers 7

Reset to default
4

Use parameterized queries. Here is your statement rewritten to make use of them. I replaced your try/finally with a using block although your try/finally was acceptable.

Parameterized queries prevent errors and Sql Injection Attacks. An error could occur in your existing code if I were to submit a tick as a part of my user name or password. In the current form this would result in an exception. This is because the tick character is used to quote strings in sql syntax.

using (System.Data.OleDb.OleDbConnection connection = new System.Data.OleDb.OleDbConnection())
{
    connection.ConnectionString = @"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Users\Etay\Documents\Visual Studio 2012\WebSites\Josef\Shared\users.mdb";
    using (System.Data.OleDb.OleDbCommand command = new System.Data.OleDb.OleDbCommand())
    {
        command.Connection = connection;
        command.CommandText = "INSERT INTO users (userName,passWord,Uname,pic) VALUES (?,?,?,?)";
        command.Parameters.Add(userName);
        command.Parameters.Add(pass);
        command.Parameters.Add(Uname);
        command.Parameters.Add(pic);

        connection.Open();
        command.ExecuteNonQuery();
    }
}

About parameters for an OleDb connection from OleDbCommand.Parameters

Remarks

The OLE DB .NET Provider does not support named parameters for passing parameters to an SQL statement or a stored procedure called by an OleDbCommand when CommandType is set to Text. In this case, the question mark (?) placeholder must be used. For example:

SELECT * FROM Customers WHERE CustomerID = ?

Therefore, the order in which OleDbParameter objects are added to the OleDbParameterCollection must directly correspond to the position of the question mark placeholder for the parameter in the command text.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

What should I change in my code?

  1. Change to parameters (that also fixes the problem that you don;t have quotes around the pic value)

  2. Remove the second instance of pass in your values

    command.CommandText = "INSERT INTO users (userName,passWord,Uname,pic) VALUES (@userName, @pass, @Uname, @pic)";
command.Parameters.Add("@userName").Value = userName;
.. etc.

It's unclear what the type if pic is - you are passing a string but I can;t tell of the column stores a file path or if you are indending to serialize the file and store it in a pinary field.

Improve this answer

Comments

0

You set 4 fields after the "INTO" clause, however you're passing 5 parameters:

"INSERT INTO users (userName,passWord,Uname,pic) VALUES ('" + userName + "', '" + pass + "', '" + Uname + "', '" + pass + "', " + pic + ")";

Just add the fifth field, or remove one parameter from the VALUES part

Improve this answer

Comments

0

Please check take a look at your Insert statement, it looks like that you provided password value twice.

The number of query values and the destination fields should be same in an INSERT statement.

Improve this answer

Comments

0

You have the wrong number parameters in your insert statement. For clarity, why not use string.Format to keep everything uniform? (Assuming these are all string types)

var rawSql = @"Insert INTO Users (userName,passWord,Uname,pic) VALUES ('{0}','{1}','{2}','{3}')";
command.CommandText = string.Format(rawSql, userName, pass, Uname, pic);
command.ExecuteNonQuery();

However, it also looks like you probably want to include that 5th parameter as well - just extend the format :

var rawSql = @"Insert INTO Users (userName,passWord,Uname,pic, privacy) VALUES ('{0}','{1}','{2}','{3}','{4}')";
command.CommandText = string.Format(rawSql, userName, pass, Uname, pic, privacy);
command.ExecuteNonQuery();
Improve this answer

Comments

0

Since most of the answers failed to address the SQL Injection vulnerability, here's an example with parameterized queries. In addition to preventing SQL Injection attacks, it also makes it easier to troubleshoot these types of issues, and you don't need to worry about quoting or not quoting parameters.

System.Data.OleDb.OleDbConnection connection = new System.Data.OleDb.OleDbConnection();
connection.ConnectionString = @"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Users\Etay\Documents\Visual Studio 2012\WebSites\Josef\Shared\users.mdb";

try
{
    System.Data.OleDb.OleDbCommand command = new System.Data.OleDb.OleDbCommand();
    command.Connection = connection;
    connection.Open();
    command.CommandText = "INSERT INTO users (userName, passWord, Uname, pic, privacy) VALUES (?, ?, ?, ?, ?)";
    command.Parameters.Add(userName);
    command.Parameters.Add(pass);
    command.Parameters.Add(name);
    command.Parameters.Add(pic);
    command.Parameters.Add(privacy);
    command.ExecuteNonQuery();
    Response.Redirect("../HtmlPage.html");
}
finally
{
    connection.Close();
}
Improve this answer

1 Comment

I am pretty sure you meant to type command.Parameters.Add(val); (x4) as there is no static Add method.
0

Tnx 4 the help

It happend to be a problem with the database - you can not apply a INSERT INTO statement where the column name is "password". "password" is a Reserved word in SQL.

Tnx again,

Etay

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.