syntax error in insert into statment

Question

0.00/5 (No votes)

See more:

My code as follows;

C#

private void Btn_Save_Click(object sender, EventArgs e)
      {
          for (int i = 0; i < DGVCalendar.RowCount; i++)
          {

              if (Convert.ToBoolean(this.DGVCalendar[0, i].Value) == true)
                 sql = "insert into Tb_Faculty_Availability ([Faculty_Code],[Available_date])" + " values('" + cb_Faculty_Code.Text + "','" + Convert.ToDateTime(DGVCalendar.Rows[i].Cells[1].Value.ToString()) + "',";
              try
              {
                  GFun.Error = "";
                  GFun.InsertAccessData(sql);
                  if (GFun.Error.ToString() != "")
                  {
                      MessageBox.Show(GFun.Error.ToString(), "Error");
                      this.Cursor = Cursors.Arrow;
                      return;
                  }
                  GFun.OleDbCon.Close();
                  MessageBox.Show("Records Inserted Successfully", "Record Inserted", MessageBoxButtons.OK, MessageBoxIcon.Information);
              }

              catch (Exception Ex)
              {
                  MessageBox.Show(Ex.ToString(), "Error");
                  this.Cursor = Cursors.Arrow;
                  return;
              }
          }
      }

in run mode as follows;

select the faculty from combobox and select the month calendar then partiuclar month selected date will display in the datagridview.

then selected date in datagridview is saved in the database.

for that i written a code

when i run click the save button error shows as follows;

Syntax error in insert into statement.

My query as follows;

C#

sql = "insert into Tb_Faculty_Availability ([Faculty_Code],[Available_date])" + " values('" + cb_Faculty_Code.Text + "','" + Convert.ToDateTime(DGVCalendar.Rows[i].Cells[1].Value.ToString()) + "'";

what is the mistake, in my above query.

please help me.

Regards,
Narasiman P.

Posted 7-Mar-13 2:30am

Member 8054539

Updated 7-Mar-13 3:03am

Maciej Los

v2

Add a Solution

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Dave Kreskowiak · Answer 1 · 2013-03-07T02:38:00

Solution 1

First, get rid of all that string concatentation and replace it with a parameterized INERT query. That error you're getting is easily resolved by not doing what you're doing. By simplifying your code you're making it easier to debug and maintain.

You'll also remove the massive SQL Injection Attack problems you've exposed yourself to because of the way you nievely wrote your code.

Google for "Parameterized SQL Queries" and "SQL Injection Attack" for more information and examples.

Posted 7-Mar-13 2:38am

Dave Kreskowiak

Comments

[no name] 7-Mar-13 8:54am

for that how can i use the paramterized query, for my insert query.

please help me.

regards,
Narasiman P.

Dave Kreskowiak 7-Mar-13 10:41am

If your definition of "help" is write your code for you, you've come to the wrong place. If I did that, you wouldn't have any clue as to why I did the things I did.

I gave you everything you need to solve this yourself. All you have to do is put those search phrases into Google and teach yourself about what you should be doing and why.

Maciej Los 7-Mar-13 9:09am

Short and to the point!
+5

Maciej Los · Answer 2 · 2013-03-07T03:09:00

Solution 2

As Dave Kreskoviak wrote, you need to know how to avoid injection attack. Please use Google to find listed subjects.
Next, follow the link: SQLParameterCollection.AddWithValue() method[^]

Posted 7-Mar-13 3:09am

Maciej Los

Kishor Deshpande · Answer 3 · 2013-03-07T18:39:00

If you look at query that you have written in your code, you have extra comma at the end of the query. Please remove it and then try.

C#

sql = "insert into Tb_Faculty_Availability ([Faculty_Code],[Available_date])" + " values('" + cb_Faculty_Code.Text + "','" + Convert.ToDateTime(DGVCalendar.Rows[i].Cells[1].Value.ToString()) + "',";

Please remove this comma -----> "',"; from sql string.