SqlException: Incorrect syntax near ','

Question

I am not able to find what is wrong with my syntax:

SqlConnection conn = new SqlConnection(connstr);
conn.Open();
            
SqlCommand cmd = new SqlCommand("INSERT INTO [dbo].[Labeler_Email_For_Confirmation_Agents] (Id, Response) VALUES (" +  TempData["id"] + "  ,  " + Correctornot + ");");

cmd.CommandType = System.Data.CommandType.Text;
cmd.Connection = conn;

cmd.ExecuteReader();

I don't understand - what is my syntax error? connstr is my connection string and Correctornot is the value received from button , i.e button value

Use [parameterized](https://stackoverflow.com/questions/7505808/why-do-we-always-prefer-using-parameters-in-sql-statements) queries. — Guru Stron, Jul 13 '20 at 20:28

score 1 · Answer 1 · answered Jul 13 '20 at 20:29

If Response is of type varchar/string you need to surround the value with ' :

SqlCommand cmd = new SqlCommand(" INSERT INTO [dbo].[Labeler_Email_For_Confirmation_Agents] ( Id , Response ) VALUES ( " +  TempData["id"] + "  ,  '"+ Correctornot + "'  );" );

Saying that you should really be using parameters as best practice

score 1 · Answer 2 · answered Jul 13 '20 at 20:36

you need to add single quote around second parameter value to fix this

SqlCommand cmd = new SqlCommand(" INSERT INTO [dbo].[Labeler_Email_For_Confirmation_Agents] ( Id , Response ) VALUES ( " +  TempData["id"] + "  ,  '"+ Correctornot + "'  );" );

But, apart from the fact that this code is open to sql injection attack, this code will still fail if text in Correctornot variable itself has single quote and is a big NO-NO

check this to see sample code of how you can parameterised query

score 1 · Answer 3 · answered Jul 14 '20 at 10:37

1

Please try

SqlCommand cmd = new SqlCommand("INSERT INTO [dbo].[Labeler_Email_For_Confirmation_Agents] (Id, Response) VALUES (" +  TempData["id"].ToString + "  ,  " + Correctornot.ToString + ");");

answered Jul 14 '20 at 10:37

Anil

13
5

SqlException: Incorrect syntax near ','

3 Answers3