0

My INSERT statement has a syntax error but I am not sure where. The error message says there'r on line 13 but I cant't see the problem. Can somebody help?

 Imports System.Data.OleDb

Public Class Form2
Dim cnn As OleDbConnection
Dim cmd As New OleDbCommand
Dim sqlstr As String
Private Sub Button1_Click(sender As System.Object, e As System.EventArgs) Handles Button1.Click
    Try
        cnn = New OleDbConnection("Provider=Microsoft.ACE.OLEDB.12.0;Data Source=" & Application.StartupPath & "\Library.accdb;")
        cnn.Open()
        sqlstr = "INSERT INTO Users (ID,User_Name,Password) VALUES ('" & txtID.Text & "','" & txtUser.Text & "','" & txtPassword.Text & "')"
        cmd = New OleDbCommand(sqlstr, cnn)
        cmd.ExecuteNonQuery()
        cnn.Close()
        MsgBox("User saved.")
    Catch ex As Exception
        MsgBox(ex.ToString)
    End Try
End Sub

End Class

user4557822
  • 1
  • If the column `ID` is an auto-increment int column, which it should be, then you should *not* include this in the insert statement. You should also see this post: **[How do I create a parameterized SQL query? Why Should I?](http://stackoverflow.com/questions/542510/how-do-i-create-a-parameterized-sql-query-why-should-i)** – Bjørn-Roger Kringsjå Dec 07 '14 at 13:20
  • 3
    `Password` is a reserved word. [See this answer](http://stackoverflow.com/a/15704920/77335) – HansUp Dec 07 '14 at 13:56
  • And WIDE-OPEN to SQL-Injection (hence Bjorn's comment about parameterized queries) – DRapp Dec 07 '14 at 15:46
  • I have removed the ID from the statement but I am still receiving the same error message. – user4557822 Dec 07 '14 at 15:55
  • Just added square brackets around Password and that fixed it, thanks. – user4557822 Dec 07 '14 at 16:11

0 Answers0