C# SQL insert query syntax error with MS Access

Question

I am trying to perform an insert query in C# but it keeps telling me syntax error in insert into statement.

Here is my query:

Checks.SQL.Insert(mydb, "SELECT * FROM Employee", "INSERT INTO Employee(First_Name,Last_Name,Email,CellPhone_Number,TypeOfUser,Username,Password) VALUES('" + txtFirstName.Text + "','" + txtLastName.Text + "','" + txtEmail.Text + " ', '" + txtCellphone.Text + "'," + typeId + ",'"+Encrypcion.encrypt(txtUsername.Text)+"','"+Encrypcion.encrypt(txtPassword.Text)+"' )");

Here is my checks insert function

 public static void Insert(OleDbConnection mydb, string SelectQuery, string InsertQuery)
 {
     mydb.Open();

     OleDbDataAdapter query2 = new OleDbDataAdapter(SelectQuery, mydb);
     OleDbCommand cmd = new OleDbCommand(InsertQuery, mydb);

     query2.InsertCommand = cmd;
     query2.InsertCommand.ExecuteNonQuery();
     mydb.Close();
}

Here is a picture of my InsertQuery with input data as example:

enter image description here

See a picture of my table info:

Possible duplicate of [What are good ways to prevent SQL injection?](https://stackoverflow.com/questions/14376473/what-are-good-ways-to-prevent-sql-injection) — mjwills, Aug 10 '18 at 11:47
What is `Checks.SQL.Insert` function doing and also I would maybe try storing your Insert SQL statement into a string and printing that to provide to us. It may be easier to spot your error this way. — Dan Scott, Aug 10 '18 at 11:51
I am only creating this for a university project and it is only for my personal use so am not too worried about sql injection at the moment. It just keeps saying syntax error but cant figure out why — Richard Teunen, Aug 10 '18 at 11:51
Say hi to Bobby Tables. Now in a more serious manner, your problem could be caused because you are doing a insert in a way you should not be doing, your code is vulnerable to SQL Injection and could cause SQL errors depending on the user input. Do note that **with** **parametrized** **queries** **is** **easier** **to** **write** **SQL** **and** **you** **get** **a** **more** **clean** **SQL** **to** **review** **in** **case** **something** **fails**. — Cleptus, Aug 10 '18 at 11:52
I unfortunately have only ever learned this way and am just starting out with sql so am relatively inexperienced. I have done may validations to ensure fair input within the code and this had worked in all my previous insert statements itis simply this one that is giving me issues — Richard Teunen, Aug 10 '18 at 11:59
@RichardTeunen If you just started learning, you should follow the link in the first comment and learn how to make it better ... Show us what the query looks like with all substitiutions and the exact error message — derpirscher, Aug 10 '18 at 12:02
in your `Insert` function maybe do `Console.WriteLine(InsertQuery)` and report back with what that produces and we can help to find your mistake :) — Dan Scott, Aug 10 '18 at 12:03
"I have done may validations to ensure fair input within the code" - it would have been quicker and easier and safer to parameterize... but: the first thing to do here is to *find out what the actual string is*, once concatenated. When you have that, log it, and look at it to find the problem... note: you're actually add a space to the end of the email. But: proper parameters would simply fix this. Also: you shouldn't ever *encrypt* a password (unless you are writing a password manager); you should *hash it* (salted) — Marc Gravell, Aug 10 '18 at 12:03
Additional note: my friend D'Arcy O'Neal is sad that she can't use your app :( — Marc Gravell, Aug 10 '18 at 12:06
It's pretty likely that one of the string fields contains a `'` character. or `typeId` is converted into a local numberformat which for instance uses a `,` as decimal separator or uses a thousands-separator ... — derpirscher, Aug 10 '18 at 12:08

score 2 · Answer 1 · answered Aug 10 '18 at 12:15

2

Password is a reserved word in Access, so:

"INSERT INTO Employee(First_Name,Last_Name,Email,CellPhone_Number,TypeOfUser,Username,[Password]) .."

answered Aug 10 '18 at 12:15

Gustav

53,498
7
29
55

C# SQL insert query syntax error with MS Access

1 Answers1