0

I have an easy insert query, but visual studio return "Syntax error in INSERT INTO command", i copy+paste the exact same query in the db (access) and it work... Any help??

 public void Create(string mail, string nickname, string password, string avatar)
    {
        OleDbConnection cn = new OleDbConnection(_connectionString);
        OleDbCommand cmd = new OleDbCommand();
        try
        {

            String PwdSHA256;
            SHA256 mySHA256 = SHA256.Create();
            byte[] hashValue = mySHA256.ComputeHash(Encoding.UTF8.GetBytes(password));
            StringBuilder builder = new StringBuilder();
            for (int i = 0; i < hashValue.Length; i++)
            {
                builder.Append(hashValue[i].ToString("x2"));
            }
            PwdSHA256 = builder.ToString();

            cn.Open();
            cmd.Connection = cn;
            cmd.CommandType = CommandType.Text;
            cmd.CommandText = "INSERT INTO utenti ([email],[nickname],[password],[avatar],[attivo]) " +
                "VALUES ('" + mail + "', '" + nickname + "', '" + PwdSHA256 + "','', false)";

            cmd.ExecuteNonQuery();
        }
        catch (Exception ex)
        {
            System.Web.HttpContext.Current.Session["errore"] = ex;
            System.Web.HttpContext.Current.Response.Redirect("ErrorPage.aspx");
            this._errore = ex.Message;
        }
        finally
        {
            cmd = null;
            cn.Close();
        }
    }
Pᴇʜ
  • 56,719
  • 10
  • 49
  • 73
Andrea Barberis
  • 3
  • 2
  • 10
    use **parameterised statements** or enjoy your SQL injection attacks. – Franz Gleichmann Dec 21 '19 at 12:06
  • First, `false` is not a boolean in your insert but a string. Second, what @FranzGleichmann says. – VDWWD Dec 21 '19 at 12:17
  • 3
    Any programmer that works with user data will eventually learn about [Bobby Tables](https://bobby-tables.com/). More [here](https://stackoverflow.com/q/7505808/4003419) – LukStorms Dec 21 '19 at 12:50

2 Answers2

0

  1. Using SQL queries directly in your code is not a good coding practice, use SQL procedures and pass the parameters to SQL.

  2. And be clear, the error you are facing is an execution time error or a compilation.

  3. Use dbo.Your_DB_Name.utenti or Your_DB_Name.utenti instead of utenti.

  4. Wrap up your 'false'

  5. Are you still using PwdSHA256 encryption

Thrainder
  • 77
  • 1
  • 10
-1

Maybe you should change

 cmd.CommandText = "INSERT INTO utenti (email,nickname,password,avatar,attivo) " +
            "VALUES ('" + mail + "', '" + nickname + "', '" + PwdSHA256 + "','', false)";

And make sure your column in database is same with your query

Stepanus Ryan
  • 3
  • 4