0

The problem is the strings I am inserting into the database have spaces within them but when I try to use the square bracket around the string to avoid Syntax error (missing operator) in query expression error it gives me the error:

No value given for one or more required parameters

TblCustomer.CommandTable("INSERT INTO TblCustomer ([CustomerCode],[FirstName]," + 
    "[SecondName],[Topics],[Countries]) Values(['" +
    TblCustomer.StrGenerateRandomCode("TblCustomer",15) + "'],['" + FirstName + "'],['" +
    SecondName+"'],['" + Topic + "'],['" + Country + "]');");

Here is the query and everything is spelled correctly because I am able to insert into the table without the square brackets and no spaces within the string I am inserting.

Hiko Haieto
  • 433
  • 2
  • 9
TescoExpress
  • 70
  • 1
  • 10
  • 1
    MySQL does not recognize square braces. Use backticks, if you need to escape the values which you do not. – Gordon Linoff May 24 '17 at 19:14
  • the values should never be in square brackets. if at all, then only the column *names*. tags are not clear: ms-access, sql, t-sql? – Cee McSharpface May 24 '17 at 19:18
  • Sorry forgot to mention but it is not MySQL but Microsoft SQL. – TescoExpress May 24 '17 at 19:19
  • Use parameters to avoid sql injection and formatting issues. And yes, don't put brackets around your values. – LarsTech May 24 '17 at 19:20
  • 3
    Data does not get wrapped in square brackets in MS SQL. Only the columns. Remove the brackets from your VALUES. – Jacob H May 24 '17 at 19:20
  • When i remove the square brackets i get the error "'Syntax error (missing operator) in query expression ''Ses'Ghan','Ronn'Gun Steelarm''.'" – TescoExpress May 24 '17 at 19:22
  • 1
    single quote is a string delimeter. you need to double up single quotes – Jeremy May 24 '17 at 19:23
  • 6
    Forget all that handling with quotes -> **use parameters** or you will be hit by little bobby tables => https://xkcd.com/327/ – Sir Rufo May 24 '17 at 19:24
  • Could you show me a quick example of how you would use parameters instead of the quotes, please? – TescoExpress May 24 '17 at 19:26
  • 1
    See [How can I add user-supplied input to an SQL statement?](https://stackoverflow.com/q/35163361/719186) – LarsTech May 24 '17 at 19:26
  • [Bobby tables](http://bobby-tables.com/csharp) to the rescue – Jacob H May 24 '17 at 19:27
  • btw. there is no column name which would require brackets. no spaces, no reserved word. – Cee McSharpface May 24 '17 at 19:28
  • @JacobH You should avoid AddWithValue it causes trouble sometimes. – Sir Rufo May 24 '17 at 19:29
  • What should I use instead of the AddWithValue? – TescoExpress May 24 '17 at 19:31
  • You should be able to use `AddWithValues` just fine with the values you are using- the only possible exception would be the `StrGenerateRandomCode` depending on what that is doing. If you do have problems, you can just use create [SqlParameters](https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparameter(v=vs.110).aspx) and add that to the command – Mad Myche May 24 '17 at 19:43

0 Answers0