-1

I tried to insert data in DB using 3 tire architecture in c# .NET but getting the following error.

Error:

Server Error in '/3tweb' Application.

Incorrect syntax near the keyword 'User'.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.Data.SqlClient.SqlException: Incorrect syntax near the keyword 'User'.

Source Error: 


Line 25:             objconn.Open();
Line 26:             SqlCommand objcmd = new SqlCommand(sqlstring, objconn);
Line 27:             objcmd.ExecuteNonQuery();
Line 28:         }
Line 29:         public DataSet LoadCustomerDB()

Source File: C:\ASP project\3tweb\DataLayer\Class1.cs    Line: 27

My DataLayer file is given below.

Class1.cs:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Configuration;
using System.Data;
using System.Data.SqlClient;
namespace DataLayer
{
    public class clsDalLayer
    {
        SqlConnection objconn = new SqlConnection(ConfigurationManager.ConnectionStrings["conn"].ToString());
        private DataSet ExecuteSql(string sqlcmd)
        {
            DataSet ds = new DataSet();
            objconn.Open();
            SqlCommand objcmd = new SqlCommand(sqlcmd, objconn);
            SqlDataAdapter objadp = new SqlDataAdapter(objcmd);
            objadp.Fill(ds);
            objconn.Close();
            return ds;
        }
        private void InsertUpdateDeleteSQLString(string sqlstring)
        {
            objconn.Open();
            SqlCommand objcmd = new SqlCommand(sqlstring, objconn);
            objcmd.ExecuteNonQuery();
        }
        public DataSet LoadCustomerDB()
        {
            DataSet ds = new DataSet();
            string sql = "SELECT id,Name,Username,Age from Person ";
            sql +="order by id DESC ";
            ds = ExecuteSql(sql);
            return ds;
        }
        public void AddNewUser(string username, string userpass)
        {
            DataSet ds = new DataSet();
            string sql = "INSERT into User (username,password) VALUES ('" + username + "','" + userpass + "')";
            InsertUpdateDeleteSQLString(sql);

        }

    }
}

Here my story is i want to insert data into DB from view.AddNewUser method is called from business layer with two value.When the sql query is executing i am getting this type of error.So please help me to resolve this error.

satya
  • 3,508
  • 11
  • 50
  • 130
  • 1
    Never ever create your query like this: `string sql = "INSERT into User (username,password) VALUES ('" + username + "','" + userpass + "')"`, because you are vulnerable to [SQL injection attack](https://en.wikipedia.org/wiki/SQL_injection) – dotnetom Jun 23 '15 at 07:08

2 Answers2

6

The problem is that user is a reserved keyword in SQL Server. You need to escape it.

This is the statement in error:

INSERT into User

And you should escape it like this:

INSERT into [User]

Also, you should parameterize your SQL statement, since you are now option to SQL injection!

Community
  • 1
  • 1
Patrick Hofman
  • 153,850
  • 22
  • 249
  • 325
2

Try to use User as

INSERT into [User]

instead of

INSERT into User

User is a reserved keyword in Sql Server

On a side note: Your code is prone to SQL Injection, try to use parameterize SQL query.

Rahul Tripathi
  • 168,305
  • 31
  • 280
  • 331