-1

I am trying to create an order form using C# and am attempting to link this order form into a Access database using OleDB in Visual Studio. However when i attempt to Save an Order to the database i keep getting a syntax exception as listed below

Error System.Data.OleDb.OleDbException (0x80040E14): Syntax error in INSERT INTO statement.
at
System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDb HResult hr)
at
System.Data.OleDb.OleDbCommand.ExecuteCommandTextFprSingleResult(tagD BPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteNonQuery()
at AccessLoginApp.OrderForm.btn_Save_Click(Object sender, EventArgs e) in c:\Users\skyscarer\Documents\Visual Studio 2013\Projects\AccessLoginApp\OrderForm.cs: line 214

The offending code which the exception is point to seems to be in the btn_Save_Click event. The code for this is displayed below.

private void btn_Save_Click(object sender, EventArgs e)
    {
        try
        {
            connection.Open();
            OleDbCommand command = new OleDbCommand();
            command.Connection = connection;
            command.CommandText = "insert into OrderForm(Customer Name, Address, Telephone Number, Post Code) values('" + customerName.Text + "', '" + addrBox.Text + "', '" + telephoneNumber.Text + "', '" + postCode.Text + "')";
            //command.CommandText = "insert into OrderForm (Customer Name, Address, Telephone Number, Post Code, Date Ordered, Due Date, Pick Up / Delivery, Item, Quantity, Size, Price) values ('"+customerName.Text+"', '"+addrBox.Text+"', '"+telephoneNumber.Text+"', '"+postCode.Text+"', '"+dateOrderedBox.Text+"', '"+dueDate.Text+"', '"+cBoxPickDeliver.Text+"', '"+itemBox.Text+"', '"+Quantity.Text+"', '"+sizeBox.Text+"', '"+price.Text+"')";
            command.ExecuteNonQuery();
            MessageBox.Show("Order Inserted into Database");
        }
        catch (Exception ex)
        {
            MessageBox.Show("Error " + ex);
        }
    }

However the line that the exception points to is just the command.ExecuteNonQuery() code so i am unsure as to what the exception is trying to say and as such am unsure what is wrong with my code. If anybody can help me on this, it would be greatly appreciated. Cheers

user3158314
  • 107
  • 15
  • 3
    Do your columns have spaces in them (Customer Name, Telephone Number)? Have you tried searching what this error means? Did you read about escaping object names that contain spaces? – CodeCaster Jul 14 '15 at 11:11
  • maybe this helps http://stackoverflow.com/questions/4988770/error-with-dynamically-created-sql-insert-statement?rq=1 – Sebastian Kaupper Jul 14 '15 at 11:14
  • 3
    [SQL Injection alert](http://msdn.microsoft.com/en-us/library/ms161953%28v=sql.105%29.aspx) - you should **not** concatenate together your SQL statements - use **parametrized queries** instead to avoid SQL injection – marc_s Jul 14 '15 at 11:16

1 Answers1

1

try:

"insert into OrderForm ([Customer Name], Address, [Telephone Number], [Post Code]) values('" + customerName.Text + "', '" + addrBox.Text + "', '" + telephoneNumber.Text + "', '" + postCode.Text + "')";

Also you should consider using parameters since you are open to sql injection

apomene
  • 14,282
  • 9
  • 46
  • 72