invalid SQL statement error when trying to input data into access file on C# program

Question

I put the code into SSMS and it underlines red for the first + sign on the first line and the PatientID next to Convert.ToInt32. the code is large so I'm only posting half of it since the error is on the first line.

"if not exists (select PatientID from patienttable where PatientID = " + PatientID.Text +  ") begin INSERT INTO patienttable VALUES (" + Convert.ToInt32(PatientID.Text) + "','" + OldID.Text + "','" 
                    + PtLastName.Text 
                    + "','" + PtPreviousLastName.Text + "','" + PtFirstName.Text + 
                    "','" + HomeAddress1.Text + "','" 
                    + HomeAddress2.Text + "','" + HomeCity.Text
                    + "','" + HomeStateProvinceRegion.Text + "','" 
                    + HomeZip.Text + "','" + Country.Text + "','" 
                    + Citizenship.Text + "','" + PtHomePhone.Text + "','"
                    + EmergencyPhoneNumber.Text + "','" +
                     PtHomeFax.Text+  "','"  +Pager.Text+ "','" + EmailAddress.Text 
                    + "','" + PtSS.Text + "','" 
                    + DOB.Text + "','" + Gender.Text + "','"
                    + EthnicAssociation.Text + "','" + Religion.Text + EthnicAssociation.Text + "','" + MaritalStatus.Text + "','"
                    + "','" + EmploymentStatus.Text + "','" + HospitalMR.Text + "','" + DateofExpire.Text + "','" + Referral.Text + "','" + CurrentPrimaryHCPId.Text + "','" + Specialist1.Text + "','" + Specialist2.Text + "','" + Specialist3.Text + "','" + Specialist4.Text + "','" + OriginalStaffHCP.Text + "','" + CurrentStaffHCP.Text +  "','" + Active.Checked + "','"
                    + Comments.Text + "','" + DateEntered.Text 
                    
                    + "','" + BusinessPhone.Text + "','" + BusinessFax.Text + "','" + SubscriberRelationship.Text + "','" + EmployerID.Text + "','" + NextOfKinID.Text + "','" + PtMiddleInitial.Text + "','" + NextOfKinRelationshipToPatient.Text + "','" + NoticeOfPracticePrivacy.Checked + "','" + NPPDate.Text + "','" + Suffix.Text + "')

Ummm.. SSMS doesn't understand C# code... so all the C# in here is flagged as invalid sql because it's not sql. You have to convert the variables to whatever their content is as literals. — Erik Funkenbusch, Dec 10 '20 at 05:21
That's not SQL, that's a non-SQL string (SQL strings are delimited with single quotes). SSMS can't digest that. I'm assuming that this is really some C# code. I'm also guessing that things line `PtFirstName.Text` refer to some sort of UI control's `Text` property. You need to read up on **SQL Injection** vulnerabilities. At the very least you need to be using SQL Parameters, not string concatenation to build your query — Flydog57, Dec 10 '20 at 05:24
You had **just asked** the very same question only 2 hours ago, and it was closed - so please **DO NOT** repost the same question over and over and over again - it will be closed over and over again (since it's still a duplicate of preivously answered questions here on SO) — marc_s, Dec 10 '20 at 05:54
Can you show us how you attempted to apply my recommendations from https://stackoverflow.com/questions/17818473/preventing-sql-injection-on-insert ? — mjwills, Dec 10 '20 at 06:09

invalid SQL statement error when trying to input data into access file on C# program

0 Answers0