am having this error but i cant find the error

Question

i am having this error when running my application:

The name "DHR32S" is not permitted in this context. Valid expressions are constants, constant expressions, and (in some contexts) variables. Column names are not permitted.

here is my code:

c2.command("insert into haraki_item values(" + iddd + ",'Selling Facture','" + itemid + "','" + name + "'," + lasttotal + "," + balancee + ",'" + date + "')");

"DHR32S" is the itemid

chances are your item contains something you dont expect such as a number with a comma in? this is why you should use parameters - let alone the whole sql injection reasons — BugFinder, Nov 29 '17 at 09:27
Possible duplicate of [What are good ways to prevent SQL injection?](https://stackoverflow.com/questions/14376473/what-are-good-ways-to-prevent-sql-injection) — mjwills, Nov 29 '17 at 09:34

score 1 · Answer 1 · edited Nov 29 '17 at 09:47

1

You SHOULD always use parameters, for lot of reasons. Here you are missing quotes around concatenated values.

 values(" + iddd + ", //<--you are missing quotes around idd

Try with parameters:

c2.command("insert into haraki_item values(@iddd ,@SellingFacture,@itemid ...
command.Parameters.AddWithValue(@iddd,iddd);
command.Parameters.AddWithValue(@SellingFacture,SellingFacture);
....

edited Nov 29 '17 at 09:47

mjwills

23,389
6
40
63

answered Nov 29 '17 at 09:35

apomene

14,282
9
46
72

the iddd is int values not string so i must not use quotes for it – Hadi Kassem Nov 29 '17 at 09:45
1

Either way, the second code block is what you should be doing (i.e. using `Parameters`). – mjwills Nov 29 '17 at 09:47

am having this error but i cant find the error

1 Answers1