-1

I am using Visual Studio 2010 connected to an Access database (2010).

I created a button to add items from textboxes to the database and I'm getting the error "Syntax error in INSERT INTO statement"

    protected void upload_Click(object sender, EventArgs e)
{
    if (FileUpload3.HasFile)
    {
        try
        {
            string filename = Path.GetFileName(FileUpload3.FileName);
            FileUpload3.SaveAs(Server.MapPath("images") + "/" + filename);
            Picture.Text = "images/" + filename;
            Label2.Text = "";
        }
        catch (Exception ex)
        {

            Label2.Text = "Upload status: The file could not be uploaded. The following error occured: " + ex.Message;
        }



    }
}

protected void addnewitem_Click(object sender, EventArgs e)
{


    AccessDataSource1.InsertCommand = "Insert into RAM (RAM Name, picture) values ('" + name.Text.ToString() + ",'" + Picture.Text.ToString() + "')";

    AccessDataSource1.Insert();
}
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Arshad Ãršhâd Jugon
  • 1
  • 1
  • 3
  • 4
  • 1
    Encapsulate the field [RAM Name] in square brackets. I think the error is due to space in the column name. "Insert into RAM ([RAM Name], picture) values" – Alberto Spelta Apr 18 '13 at 12:32

3 Answers3

1

Try a bit of SQL injection: append a single quote to the text you enter in the "name" textbox.

And if it works, then use parameters in your query rather than appending text from the user.

Further reading:

http://www.codinghorror.com/blog/2005/04/give-me-parameterized-sql-or-give-me-death.html

How do parameterized queries help against SQL injection?

UPDATE

Also use the correction in Alberto Spelta's comment on the original question (enclose a column name that contains spaces in brackets: "RAM Name" => "[RAM Name]"). This is another syntax error as well as the omitted single quote.

Community
  • 1
  • 1
Joe
  • 122,218
  • 32
  • 205
  • 338
1

You're missing a single quote:

"... values ('" + name.Text.ToString() + "','" + Picture.Text.ToString() + "')"
                                          ^

But you shouldn't be using string concatentation like this - use a proper parameterised query instead, and you won't see these problems (or the more dangerous injection problems you get when your data contains single quotes).

RichieHindle
  • 272,464
  • 47
  • 358
  • 399
1

Try

([RAM Name], picture)

instead of

(RAM Name, picture)

Hope this helps

Irvin Dominin
  • 30,819
  • 9
  • 77
  • 111
Peter De Baets
  • 11
  • 1