Click here to Skip to main content
15,920,503 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
hey guys , i get a error when adding data, - i have 2 textboxes and the entered data inside the textboxes shud be inserted into a sqls table, right, so i get a message on the 2nd text box \\

************* Exception Text **************
System.Data.SqlClient.SqlException: Incorrect syntax near '12'.
   at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
   at System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName, Boolean async)
   at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe)
   at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()
   at login_form.add_user.button1_Click(Object sender, EventArgs e) in C:\Users\james\New folder\POS\pos\login form\add user.cs:line 25
   at System.Windows.Forms.Control.OnClick(EventArgs e)
   at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
   at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
   at System.Windows.Forms.Control.WndProc(Message& m)
   at System.Windows.Forms.ButtonBase.WndProc(Message& m)
   at System.Windows.Forms.Button.WndProc(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

heres my code :

SqlConnection con = new SqlConnection("Data Source=JAMES-PC\\SQLEXPRESS;Initial Catalog=login1;Integrated Security=True");
SqlCommand cmd = new SqlCommand("INSERT INTO user1 (username, password) VALUES ('" + textBox1.Text + "','" + textBox2.Text + "'", con);

2ndly i know my code aint very sql injection proof , reading up on it :)
Updated 31-Jul-15 1:39am
Richard Deeming 31-Jul-15 7:50am    
Your code is vulnerable to SQL Injection[^].

NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.
jamesmc1535 31-Jul-15 7:52am    
thanks for the advice, im stil reading up on parameterized .
Richard Deeming 31-Jul-15 7:51am    
You're also storing passwords in plain text. That's an extremely bad idea. You should only ever store a salted hash of the user's password.

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

1 solution

You have forgetten to put a close bracket after VALUES ends.
Check this-
SqlCommand cmd = new SqlCommand("INSERT INTO user1 (username, password) VALUES ('" + textBox1.Text + "','" + textBox2.Text + "')", con);

Hope, it helps :)

As you know this is vulnerable to SQL Injection, spend little time (not more) to convert this to a parameterized query.
SqlCommand cmd = new SqlCommand("INSERT INTO user1 ([username], [password]) VALUES (@username,@password)", con);

Reference: Using Parameterized queries to prevent SQL Injection Attacks in SQL Server[^]

Hope, you'll consider this update :)
Share this answer
jamesmc1535 31-Jul-15 7:50am    
JEEZ lotta help thanks man
something as simple as that :| and it works
Suvendu Shekhar Giri 31-Jul-15 7:53am    
Glad that it helped :)
Richard Deeming 31-Jul-15 7:52am    
You have copied the SQL Injection[^] vulnerability from the question.

NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.
Suvendu Shekhar Giri 31-Jul-15 7:59am    
Noted. Updated the solution.
Richard Deeming 31-Jul-15 8:01am    
Thanks. Updated my vote. :)

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900