System.Data.SqlClient.SqlException: 'Incorrect syntax near '2'.'

Question

Im trying to insert this test data in my sql database and I'm getting this error: System.Data.SqlClient.SqlException: 'Incorrect syntax near '2'.'

Any ideas how to solve this?

DateTime date = DateTime.Now;

string test = "{'payload': {'businessName': 'COMPANY1', 'subscriberName': 'JOHN DOE', 'accountNumber': 'CY68005000121234567890123456', 'numberOfRecords': 1," +
    "'currentBalance': 4195.5, 'transactions': [{'transactionNumber': 'TR00000000','sequenceNumber': '000','transactionCode': '305','actualDateTime': '201812041624'," +
    "'transactionValueDate': '2018-12-04', 'transactionCurrencyCode': 'EUR', 'transactionAmount': -1149.5, 'balance': 4195.5, 'chequeNo': '', 'depositedBy': 'CY68005000121234567890123456'," +
    "'customerReference': 'uniqueValue', 'paymentNotes': 'NOTES', 'exchangeRate': 0}]}, 'errors': null}";
trans = JsonConvert.DeserializeObject<HB_transactions>(test);

for (int i=0; i<trans.payload.transactions.Count; i++)
{
    string query = "SELECT TransactionId FROM AABankTransTable";
    SqlCommand cmd = new SqlCommand(query, con);
    SqlDataReader dataReader = cmd.ExecuteReader();

    bool exists = false;

    while(dataReader.Read())
    {
        if(dataReader[0].ToString() == trans.payload.transactions[i].transactionNumber)
        {
            exists = true;
            break;
        }
    }

    dataReader.Close();

    if (exists) continue;

    query = "INSERT INTO AABankTransTable " +
        "(TransactionId, Bank, ComID, Currency, Amount, DownloadDate, Processed, CreditorName, RemittanceDetails, ValueDate)" +
        "VALUES ('" + trans.payload.transactions[i].transactionNumber + "', 'HB', " + args[0] + ", '" + trans.payload.transactions[i].transactionCurrencyCode + "', " +
        trans.payload.transactions[i].transactionAmount + ", " + date + ", 0, '" + trans.payload.transactions[i].depositedBy + "', '" +
        trans.payload.transactions[i].paymentNotes + "', " + DateTime.Parse(trans.payload.transactions[i].transactionValueDate) + ")";

    cmd = new SqlCommand(query, con);
    cmd.ExecuteNonQuery();

Answer 1

Solved by using SQL parameters instead of string concatenation.

query = "INSERT INTO AABankTransTable " +
                    "(TransactionId, Bank, ComID, Currency, Amount, DownloadDate, Processed, CreditorName, RemittanceDetails, ValueDate)" +
                    "VALUES (@TransID, 'HB', @COMID, @curr, @amount, @dlDate, 0, @depositor, @Details, @TransDate)";

                cmd = new SqlCommand(query, con);
                cmd.Parameters.AddWithValue("@TransID", trans.payload.transactions[i].transactionNumber);
                cmd.Parameters.AddWithValue("@COMID", args[0]);
                cmd.Parameters.AddWithValue("@curr", trans.payload.transactions[i].transactionCurrencyCode);
                cmd.Parameters.AddWithValue("@amount", trans.payload.transactions[i].transactionAmount);
                cmd.Parameters.AddWithValue("@dlDate", date);
                cmd.Parameters.AddWithValue("@depositor", trans.payload.transactions[i].depositedBy);
                cmd.Parameters.AddWithValue("@Details", trans.payload.transactions[i].paymentNotes);
                cmd.Parameters.AddWithValue("@TransDate", DateTime.Parse(trans.payload.transactions[i].transactionValueDate));
                cmd.ExecuteNonQuery();