incorrect syntax near ');

Question

I have an error with my code.

Code execution directly flows to the catch block and says: incorrect syntax near ');

I want to save a file in the database and call it again.

public partial class newsrv : System.Web.UI.Page{
    string dir = "C://fileup//";

    protected void Page_Load(object sender, EventArgs e){
        if (!Directory.Exists(dir)){
            Directory.CreateDirectory(dir);
        }
    }

    protected void DropDownList1_SelectedIndexChanged(object sender, EventArgs e){

    }

    protected void Button1_Click(object sender, EventArgs e){
        SqlConnection con = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDbFilename=|DataDirectory|DB.mdf;Integrated Security=True;User Instance=True");
        string fname = FileUpload1.PostedFile.FileName;
        try{
            SqlCommand cmd = new SqlCommand("INSERT INTO OrderNum (SrviceType, Msg,[File]) VALUES ('" + DropDownList1.SelectedItem.Text + "','" + TextBox1.Text + "' ,'" + FileUpload1.PostedFile.FileName + "') );", con);
            con.Open();

            try {
                int res = cmd.ExecuteNonQuery();
                if (res > 0){
                    System.Windows.Forms.MessageBox.Show("success");
                }
                Label2.Text = TextBox1.Text;
                FileUpload1.SaveAs(dir + fname);
                Label1.Text = " file name uploaded succ ";
                FileUpload1.Visible = true;
            }catch (Exception ex){
                System.Windows.Forms.MessageBox.Show(ex.Message);
            }
        }catch{
            Label1.Text = " file name  not uploaded  ";
            FileUpload1.Visible = false;
            con.Close();
        }finally{
            con.Close();
        }
    }

    protected void TextBox1_TextChanged(object sender, EventArgs e){

    }
}

Print out the command to debug it: `SqlCommand cmd = new SqlCommand("INSERT INTO OrderNum (SrviceType, Msg,[File]) VALUES ('" + DropDownList1.SelectedItem.Text + "','" + TextBox1.Text + "' ,'" + FileUpload1.PostedFile.FileName + "') );", con);` Two opened brackets and three closing ones For future questions: Include the full error message. The stack includes the line of code causing the error. — Daniel, Oct 19 '13 at 20:44

score 1 · Accepted Answer · answered Oct 19 '13 at 20:28

It looks like you have an extra ); at the end of the SQL statement...

... + TextBox1.Text + "' ,'" + FileUpload1.PostedFile.FileName + "') );", con);

                                                                     ^^ 
                                                                     remove these

score 1 · Answer 2 · edited May 23 '17 at 11:59

1

I think you should get rid of ); in:

"') );",

Also, consider using placeholders for better security.

edited May 23 '17 at 11:59

Community

1
1

answered Oct 19 '13 at 20:29

Arwin van Arum

19
2

score 0 · Answer 3 · answered Oct 19 '13 at 20:27

Your SQLCommand is invalid. It should be:

SqlCommand cmd = new SqlCommand("INSERT INTO OrderNum (SrviceType, Msg,[File]) VALUES ('" + DropDownList1.SelectedItem.Text + "','" + TextBox1.Text + "' ,'" + FileUpload1.PostedFile.FileName + "')", con);

E.G. Remove the extra ); at the end of the statement.

score 0 · Answer 4 · answered Oct 19 '13 at 20:40

Don't put ); at the end of the query. And for an easy compresion use this syntax:

SqlCommand cmd=new SqlCommand(String.Format(@"INSERT INTO OrderNum (SrviceType, Msg,[File]) VALUES ('{0},{1},{2}')",DropDownList1.SelectedItem.Text, TextBox1.Text,FileUpload1.PostedFile.FileName),con);

For better understanding change the name of the obj in something that remember what you want do with this.

Example if you have a textbox that required the username call the textbox txtUserName or txtNickName

incorrect syntax near ');

4 Answers4