Click here to Skip to main content
15,886,806 members
Search within:


incorrect syntax near 's'
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
ASP.NET
SQL
i'm getting error Incorrect syntax near s'
SQL
da = new SqlDataAdapter("insert into rsa_addtocart(UserId,productid,productname,ProductImage,price,qty,totalcost,cdate)values(" + Convert.ToInt32(Session["users"].ToString()) + "," + Convert.ToInt32(ds.Tables[0].Rows[0][0].ToString()) + ",'" + ds.Tables[0].Rows[0][1].ToString() + "','" + ds.Tables[0].Rows[0][3].ToString() + "'," + Convert.ToDecimal(ds.Tables[0].Rows[0][2].ToString()) + ",1," + Convert.ToDecimal(ds.Tables[0].Rows[0][2].ToString()) + ",getdate())", con);
                   da.SelectCommand.ExecuteNonQuery();

If product name is without apostrophe i'm not getting any error but with apostrophe it throws an exception so tried to use the parameterized queries but don't know how to get values in parameters for ProductImage
ProductImage,ds.Tables[0].Rows[0][3].ToString()

please help me to solve this.
Posted
Updated 4-Jun-15 1:18am
v2
Add a Solution
Comments
ConnectingKamlesh 4-Jun-15 7:40am    
Try replacing the apostrophe with double apostrophe,

ds.Tables[0].Rows[0][1].ToString().Replace("'","''");
F-ES Sitecore 4-Jun-15 7:41am    
Use parameterised queries. Google "parameterised queries ado.net"

2 solutions

Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

The chances are that that will cure your problem at the same time.
C#
using (SqlCommand cmd = new SqlCommand("insert into rsa_addtocart(UserId,productid,productname,ProductImage,price,qty,totalcost,cdate)values(@UID, @PID, @PN, @PI, @PR, @QTY, @TC, GETDATE())", con))
    {
    cmd.Parameters.AddWithValue("@UID", Convert.ToInt32(Session["users"]));
    cmd.Parameters.AddWithValue("@PID", Convert.ToInt32(ds.Tables[0].Rows[0][0]);
    cmd.Parameters.AddWithValue("@PN", ds.Tables[0].Rows[0][1]);
    cmd.Parameters.AddWithValue("@PI", ds.Tables[0].Rows[0][3]);
    cmd.Parameters.AddWithValue("@PR", Convert.ToDecimal(ds.Tables[0].Rows[0][2]);
    cmd.Parameters.AddWithValue("@QTY", 1);
    cmd.Parameters.AddWithValue("@TC", Convert.ToDecimal(ds.Tables[0].Rows[0][2]);
    cmd.ExecuteNonQuery();
    }


[edit]Missed that hard coded value![/edit]
 
Share this answer
 
Posted
Updated 4-Jun-15 1:52am
v2
Comments
Richard Deeming 4-Jun-15 7:49am    
Snap!

But he didn't miss a parameter - the quantity is hard-coded as 1.
OriginalGriff 4-Jun-15 7:53am    
Yep! I missed that.
See how much easier it is to read with parameters? :laugh:
OriginalGriff 4-Jun-15 7:54am    
Oh, BTW: I left it as GETDATE rather than swap it to DateTime.Now because that means all inserts use the same PC time: server rather than client.
Richard Deeming 4-Jun-15 7:58am    
Fair point. As it's tagged as ASP.NET, I assumed the SQL and web servers would be in the same time zone. :)
OriginalGriff 4-Jun-15 8:18am    
:laugh:
Yes, but that doesn't mean they have the same time. Even PC's which regularly sync to a NTP server can have different times. If you need consistent date-time stamps, you should always use the same clock.
Your code is vulnerable to SQL Injection[^].

NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.
C#
using (var command = new SqlCommand("insert into rsa_addtocart (UserId, productid, productname, ProductImage, price, qty, totalcost, cdate) values (@UserId, @productid, @productname, @ProductImage, @price, @qty, @totalcost, @cdate)", con))
{
    command.Parameters.AddWithValue("@UserId", Session["users"]);
    command.Parameters.AddWithValue("@productid", ds.Tables[0].Rows[0][0]);
    command.Parameters.AddWithValue("@productname", ds.Tables[0].Rows[0][1]);
    command.Parameters.AddWithValue("@ProductImage", ds.Tables[0].Rows[0][3]);
    command.Parameters.AddWithValue("@price", ds.Tables[0].Rows[0][2]);
    command.Parameters.AddWithValue("@qty", 1);
    command.Parameters.AddWithValue("@totalcost", ds.Tables[0].Rows[0][2]);
    command.Parameters.AddWithValue("@cdate", DateTime.Now);
    
    if (con.State != ConnectionState.Open)
    {
        con.Open();
        try
        {
            command.ExecuteNonQuery();
        }
        finally
        {
           con.Close();
        }
    }
    else
    {
        command.ExecuteNonQuery();
    }
}
 
Share this answer
 
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Incorrect syntax near ', '.'
Microsoft.data.sqlclient.sqlexception: 'incorrect syntax near '/'.'
Incorrect syntax near the keyword 'inner'.
Incorrect syntax near 'LIMIT'.
How do I remove the error for incorrect syntax near LIKE.
Incorrect syntax near '.'.
Incorrect syntax near '-'.
Incorrect syntax near ','.
Incorrect syntax near '='.
incorrect syntax near #

Advertise
Privacy
Cookies
Terms of Use
Last Updated 4 Jun 2015
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web04 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900