0

Hello Guys I am learning new things from a book and today as I wanted to test the code that I wrote. I received that error:

MySql.Data.MySqlClient.MySqlException: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@gmail.com,  'Bmw0308)' at line 1"

I don't know how to fix it its a program for registration with email and password and I am using a Console Application (.Net Framework) for it and yeah can someone help me? :D

Here is the code:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using MySql.Data.MySqlClient;

namespace Datenbank1
{
class Program
{
    static void Main(string[] args)
        {

        string daten = "SERVER = localhost;" +
                       "DATABASE = db;" +
                       "UID = Sarper;" +
                       "PASSWORD = Bmw03082009;";

        Console.Write("E-Mail: ");
        string email = Console.ReadLine();
        Console.Write("Password: ");
        string password = Console.ReadLine();

        MySqlConnection con = new MySqlConnection(daten);


        string command = "INSERT INTO Daten VALUES (" +
            email + ",  '" +
            password + ");";

        MySqlCommand execute = new MySqlCommand(command);

        execute.Connection = con;

        con.Open();
        execute.ExecuteNonQuery();
        con.Close();

    }
 }
}
Trevor
  • 7,777
  • 6
  • 31
  • 50
Sarper Eroglu
  • 1
  • 3
  • Take a look at [this post](https://stackoverflow.com/a/10505999/15204525), it shows you how to build a mysql connection string instead of using string concatenation. It might help rule out formatting issues. – DekuDesu May 27 '21 at 12:57
  • 1
    I think you're missing a `'` after your `password` value. And also use a parameterized query to avoid SQL Injection – Andrei Solero May 27 '21 at 12:57
  • Use [parameters](https://stackoverflow.com/questions/652978/parameterized-query-for-mysql-with-c-sharp) - then a) you don't worry about having to create valid SQL with string concatenation and b) your code isn't vulnerable to SQL injection. – stuartd May 27 '21 at 12:57
  • 1
    `"INSERT INTO Daten VALUES ('" + email + "','" + password + "');";` but please don't do this, use parameters to prevent SQLi and hash the password. – Trevor May 27 '21 at 12:58
  • 1
    HELLO GUYS!!! THANK YOU ALL FOR THE SUPPORT Now it works! The problem was at the command variable This is the right solution : string command = "INSERT INTO Daten VALUES ('" + email + "', '" + password + "');"; I missed many of ' and yeah thank you also @zaggler ! you helped me a lot – Sarper Eroglu May 27 '21 at 14:12

1 Answers1

0

So guys the problem was that i missed some of that: ' and the only change was that in the command variable!:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using MySql.Data.MySqlClient;

namespace Datenbank1
{
class Program
{
    static void Main(string[] args)
        {

        string daten = "SERVER = localhost;" +
                       "DATABASE = db;" +
                       "UID = Sarper;" +
                       "PASSWORD = Bmw03082009;";

        Console.Write("E-Mail: ");
        string email = Console.ReadLine();
        Console.Write("Password: ");
        string password = Console.ReadLine();

        MySqlConnection con = new MySqlConnection(daten);


        string command = "INSERT INTO Daten VALUES ('" +
        email + "',  '" +
        password + "');";

        MySqlCommand execute = new MySqlCommand(command);

        execute.Connection = con;

        con.Open();
        execute.ExecuteNonQuery();
        con.Close();

            










        }
    }
 }
Sarper Eroglu
  • 1
  • 3