Syntax error in INSERT INTO statement

Question

I am writing the following code in my C-Sharp Form Application and its giving me the following error.

> Syntax error in INSERT INTO statement.


OleDbCommand cmd =
    new OleDbCommand(
            "Insert into Info (username, password) Values ('"
          + username
          + "', '" 
          + password 
          + "')"
        , conn
    );

score 3 · Accepted Answer · edited May 23 '17 at 12:18

3

The word PASSWORD is a reserved keyword. To use it you should enclose the string in square brackets

OleDbCommand cmd = new OleDbCommand("Insert into Info (username, [password]) Values ('" + username + "', '" + password + "')", conn);

And please, please, do not use string concatenation to build sql statements. It is a very bad practice that leads to other syntax errors (username or password with single quotes) or worst to a sql injection Attacks. Take a look here to what could happen if you have a smart and malicious user

OleDbCommand cmd = new OleDbCommand("Insert into Info (username, [password]) Values (?,?)", conn);
cmd.Parameters.AddWithValue("@p1", username);
cmd.Parameters.AddWithValue("@p2", password);
cmd.ExecuteNonQuery();

edited May 23 '17 at 12:18

Community

1
1

answered Apr 26 '13 at 15:25

Steve

213,761
22
232
286

Can i also write Select command like this, oledbCommand cmd= new oledbcommand ("Select * from Table where id= ? and password= ?") – Taha Kirmani Apr 26 '13 at 16:11
Yes of course, the concept is the same. The parameters should always used to pass user input text. You can't use a parameter to express the table's name or column's name though. – Steve Apr 26 '13 at 17:07

David Hoerster · Answer 2 · 2013-04-26T15:31:13.833

2

You need to bracket off password. It's a reserved word.

OleDbCommand cmd = 
    new OleDbCommand("Insert into Info (username, [password]) Values ('" + username + "', '" + password + "')", conn);

edited Apr 26 '13 at 15:31

answered Apr 26 '13 at 15:25

David Hoerster

28,421
8
67
102

@HansUp - thought it was username, but user is the reserved word. Typed too quickly. :) – David Hoerster Apr 26 '13 at 15:28
Yeah, `username` *looks* suspicious. :-) And the brackets wouldn't hurt ... so including them wasn't a problem. You earned +1 based on `[password]`. – HansUp Apr 26 '13 at 15:33
@HansUp thanks! Yes, the square brackets don't hurt (at least, I don't think they do). – David Hoerster Apr 26 '13 at 15:36

score 1 · Answer 3 · answered Apr 26 '13 at 15:24

1

Maybe there's an illegal character (such as a single quote) within the username or password variables. Make sure they're sanitized.

answered Apr 26 '13 at 15:24

Hebron George

329
1
6
21

That's a good point, but the better way to deal with that possibility is to use a parameter query as Steve suggested. – HansUp Apr 26 '13 at 15:36

Syntax error in INSERT INTO statement

3 Answers3