Add path to SQL Server using c#

Question

I tried adding a file path to SQL Server from a C# application and that this exception that appeared :

An unhandled exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll

Additional information: Incorrect syntax near 'C:\Users\Misfen\Desktop\image.jpg'.

private void button9_Click(object sender, EventArgs e)
{
    OpenFileDialog dlg = new OpenFileDialog();
    dlg.Filter = "JPG FILES (*.jpg)|*.jpg|JPEG FILES (*.jpeg)|*.jpeg|PNG FILES (*.png)|*.png";

    if (dlg.ShowDialog() == DialogResult.OK)
    {
        string picpath = dlg.FileName.ToString();
        listBox2.Items.Add(picpath);

    }
}

private void button5_Click(object sender, EventArgs e)
{
    OpenFileDialog dlg = new OpenFileDialog();
    dlg.Filter = "JPG FILES (*.jpg)|*.jpg|JPEG FILES (*.jpeg)|*.jpeg|PNG FILES (*.png)|*.png|PDF FILES (*.pdf)|*.pdf|DOC FILES (*.doc)|*.doc";

    if (dlg.ShowDialog() == DialogResult.OK)
    {
        string picpath = dlg.FileName.ToString();
        textBox4.Text = picpath;
    }
}

private void button6_Click(object sender, EventArgs e)
{
    OpenFileDialog dlg = new OpenFileDialog();
    dlg.Filter = "JPG FILES (*.jpg)|*.jpg|JPEG FILES (*.jpeg)|*.jpeg|PNG FILES (*.png)|*.png|PDF FILES (*.pdf)|*.pdf|DOC FILES (*.doc)|*.doc";

    if (dlg.ShowDialog() == DialogResult.OK)
    {
        string picpath = dlg.FileName.ToString();
        textBox5.Text = picpath;
    }
}

private void button7_Click(object sender, EventArgs e)
{
    OpenFileDialog dlg = new OpenFileDialog();
    dlg.Filter = "JPG FILES (*.jpg)|*.jpg|JPEG FILES (*.jpeg)|*.jpeg|PNG FILES (*.png)|*.png";

    if (dlg.ShowDialog() == DialogResult.OK)
    {
        string picpath = dlg.FileName.ToString();
        listBox1.Items.Add(picpath);
    }    
}

C# code :

String req = "insert into dommage_materiel values(" + textBox1.Text + ",'" + richTextBox2.Text + "','" + richTextBox1.Text + "','" + textBox3.Text + "','" + dateTimePicker1.Value + "','" + richTextBox3.Text + "','" + textBox2.Text + "','" + textBox4.Text.ToString() + "','" + textBox5.Text.ToString() + "'";

SqlCommand cmd = new SqlCommand(req, cnx);

cnx.Open();
cmd.ExecuteNonQuery();
cnx.Close();

for (int i = 0; i < listBox1.Items.Count; i++)
{
    SqlCommand cmd2 = new SqlCommand("insert into photo_domage values ('"+textBox1.Text+"','"+listBox1.Items[i].ToString()+"')", cnx);

    cnx.Open();
    cmd2.ExecuteNonQuery();
    cnx.Close();
}

for (int i = 0; i < listBox2.Items.Count; i++)
{
    SqlCommand cmd2 = new SqlCommand("insert into fichier_domage values ('" + textBox1.Text + "','" + listBox1.Items[i].ToString() + "')", cnx);

    cnx.Open();
    cmd2.ExecuteNonQuery();
    cnx.Close();
}

SQL code :

create table dommage_materiel
(
     num varchar(30) primary key,
     object_sistre varchar(500),
     discription varchar(1500),
     lieux varchar(100), 
     date_inci date, 
     domage varchar(50), 
     estimation varchar(30), 
     pv nvarchar(150), 
     facture nvarchar(1500)
)

create table photo_domage
(
     num varchar(30) foreign key references dommage_materiel (num), 
     ref nvarchar(1500)
)

create table fichier_domage 
(
     num varchar(30) foreign key references dommage_materiel (num),
     ref nvarchar(1500)
)

Recommended reading - http://stackoverflow.com/questions/7505808/why-do-we-always-prefer-using-parameters-in-sql-statements — Eugene Podskal, Mar 07 '16 at 19:38
[SQL Injection alert](http://msdn.microsoft.com/en-us/library/ms161953%28v=sql.105%29.aspx) - you should **not** concatenate together your SQL statements - use **parametrized queries** instead to avoid SQL injection — marc_s, Mar 07 '16 at 19:46

score 4 · Answer 1 · edited May 23 '17 at 10:27

4

You forgot two single quotes around the first value, and there is also a closing bracket missing.

Just replace

insert into dommage_materiel values(" + textBox1.Text + ",

with

insert into dommage_materiel values('" + textBox1.Text + "', .... ");

Anyway, I strongly recommended you to make use of Sql Parameters. Here is a good and short explanation.

edited May 23 '17 at 10:27

Community

1
1

answered Mar 07 '16 at 19:42

Marc

3,905
4
21
37

Yes , thank you i didn't notice that but the same problem still apears – Ayvin Mar 07 '16 at 20:18
There is also a closing bracket missing at the end. – Marc Mar 07 '16 at 20:32
Alright, I have updated my answer. You're welcome :-) – Marc Mar 07 '16 at 20:41
Please close the question by mark it as answered, if that helped you. – Marc Mar 17 '16 at 12:04

Add path to SQL Server using c#

1 Answers1