-4

I receive an error when I run my project in vb: [syntax error in insert into statement]

Private Sub Bsimpan_Click(sender As Object, e As EventArgs) Handles Bsimpan.Click
    If Tno.Text = "" Or Tnis.Text = "" Or Tnama.Text = "" Or Tkelas.Text = "" Or CBjk.Text = "" Or Tt4lahir.Text = "" Or ttgllahir.Text = "" Then
        MsgBox("Data Belum Lengkap")
        Exit Sub
    Else
        Call koneksi()
        cmd = New OleDbCommand("select * from Anggota where nis='" & Tnis.Text & "'", conn)
        rd = cmd.ExecuteReader
        rd.Read()
        If Not rd.HasRows Then
            Dim sqltambah As String = "insert into Anggota(No,nis,Nama,Kelas,Jenis_kelamin,Tempat_lahir,Tanggal_lahir) values " & _
                "('" & Tno.Text & "', '" & Tnis.Text & "', '" & Tnama.Text & "', '" & Tkelas.Text & "', '" & CBjk.Text & "', '" & Tt4lahir.Text & "', '" & ttgllahir.Text & "')"
            cmd = New OleDbCommand(sqltambah, conn)
            cmd.ExecuteNonQuery()
            Call kosongkan()
            Call tampilkan()
            Tno.Focus()
        Else
            Dim sqledit As String = "update Anggota set " & _
                "NIS='" & Tnis.Text & "', " & _
                "Nama='" & Tnama.Text & "', " & _
                "Kelas='" & Tkelas.Text & "', " & _
                "Jenis_kelamin='" & CBjk.Text & "', " & _
                "Tempat_lahir='" & Tt4lahir.Text & "', " & _
                "Tanggal_lahir='" & ttgllahir.Text & "'"
            cmd = New OleDbCommand(sqledit, conn)
            cmd.ExecuteNonQuery()
            Call kosongkan()
            Call tampilkan()
        End If
    End If
End Sub
sebagomez
  • 9,501
  • 7
  • 51
  • 89
MNFS
  • 305
  • 4
  • 17

3 Answers3

1

It might be a character in your values that could create an invalid sql statement. However, generating an sql statement with a concatenation of user inputs is a very dangerous and evil thing to do because it open the door to a simple, well known and well documented security issue called SQL Injection.

The only good way to handle parameter is with parameterized SQL query.

See this SO question for more details.

Community
  • 1
  • 1
The_Black_Smurf
  • 5,178
  • 14
  • 52
  • 78
0

Could it be a missing space between the table name and the first parenthesis?

Probably the best way to find out would be copy the content of the sqltambah variable and run the insert statement yourself and see if you get a little more info about where the error is.

Take a look at this: http://msdn.microsoft.com/en-us/library/ms174335.aspx

sebagomez
  • 9,501
  • 7
  • 51
  • 89
0

Use parametrized queries.

For example the query would look like this:

INSERT INTO anggota 
            (no, 
             nis, 
             nama, 
             kelas, 
             jenis_kelamin, 
             tempat_lahir, 
             tanggal_lahir) 
VALUES      (@no, 
             @nis, 
             @nama, 
             @kelas, 
             @jenis_kelamin, 
             @tempat_lahir, 
             @tanggal_lahir)

Then adjust your code:

cmd.Parameters.AddWithValue("@No", Tno.Text)
cmd.Parameters.AddWithValue("@nis", Tnis.Text)
cmd.Parameters.AddWithValue("@Nama", Tnama.Text)
cmd.Parameters.AddWithValue("@Kelas", Tkelas.Text)
cmd.Parameters.AddWithValue("@Jenis_kelamin", CBjk.Text)
cmd.Parameters.AddWithValue("@Tempat_lahir", Tt4lahir.Text)
cmd.Parameters.AddWithValue("@Tanggal_lahir", ttgllahir.Text)


cmd = New OleDbCommand(sqltambah, conn)
cmd.ExecuteNonQuery()
meda
  • 45,103
  • 14
  • 92
  • 122