-4
namespace WindowsFormsApp2
{
    public partial class Form1 : Form
    {
        public Form1()
        {
            InitializeComponent();
        }
        
        SqlConnection con = new SqlConnection(@"Data Source = (LocalDB)\MSSQLLocalDB; AttachDbFilename=C:\Users\User\Documents\PatientDB.mdf;Integrated Security = True; Connect Timeout = 30");

        private void label1_Click(object sender, EventArgs e)
        {
           Application.Exit();
        }

        private void button1_Click(object sender, EventArgs e)
        {
           con.Open();
           SqlCommand cmd = new SqlCommand("insert into 'Table' values('"
                          + fname.Text + "','"
                          + sname.Text + "',"
                          + age.Text + ",'"
                          + city.Text + "','"
                          + address.Text + "','"
                          + gendercb.Text + "','"
                          + btcb.Text + "','"
                          + phonenum.Text + "')", con);

           cmd.ExecuteNonQuery();

           MessageBox.Show("Patient added successfully");
           con.Close();
        }
    }
}
Faisel Abdi
  • 1
  • 2
    Is your database table called `Table`? – Hans Kilian May 31 '21 at 20:30
  • yes , it is called that – Faisel Abdi May 31 '21 at 20:31
  • Remove the apostrophes, so it's `insert into Table values...` – Hans Kilian May 31 '21 at 20:32
  • Still the same issue . i put the apostrophes there because i was getting the error before that as well – Faisel Abdi May 31 '21 at 20:35
  • In SQL Server, if you name something after a reserved word like `Table`, you surround it with brackets (`[Table]`). I don't know about MySql. – Flydog57 May 31 '21 at 20:36
  • `table` is a reserved word in mssql. To use it as identifier you have to enclose it in brackets like `insert into [table] ... ` btw it's quite a bad idea to use reserved words as identifiers. And you shouldn't creat queries by string concatenation but use parameterized queries – derpirscher May 31 '21 at 20:38
  • In the future, you really need to spend some time having your code show up as readable code in your question. The `{}` in the editor will indent text 4 spaces (which makes it get formatted as code). Then you need to get rid of extraneous whitespace and get your indentation into a readable form. Your original question had very-hard-to-read code in it. – Flydog57 May 31 '21 at 20:39
  • 1
    MySql uses backticks (`) to allow you to used reserved words. You should really change the name to something else if you can. You'll only get grief by calling it 'table'. – Hans Kilian May 31 '21 at 20:40
  • @Flydog57 He is obviously using `System.Data.SqlClient` thus MSSQL Server. The Mysql tag is wrong – derpirscher May 31 '21 at 20:40
  • 3
    You should also read up on SQL Injection. Otherwise, you will end up with problem like _Little Bobby Tables_ https://bobby-tables.com/ – Flydog57 May 31 '21 at 20:40
  • that worked .now it doesnt show the error anymore.but the data isnt being saved in the table – Faisel Abdi May 31 '21 at 20:41
  • 1
    At @derpirscher: I spent my time making his code readable. I didn't notice very much else (except the use of `Table` as a table name and the SQL Injection vulnerabilities). I assumed he had tagged the question correctly – Flydog57 May 31 '21 at 20:42
  • i am using system.data.sqlclient. – Faisel Abdi May 31 '21 at 20:42
  • How do you know it's not getting saved in the table. If you execute `Select * from [Table]` in Sql Server Management Studio, do you not see your new data? – Flydog57 May 31 '21 at 20:45
  • im using vs , im checking it there . I pressed the table to show data and all the values are still null – Faisel Abdi May 31 '21 at 20:50
  • 1
    Other things you should read up on. Both `SqlConnection` and `SqlCommand` implement `IDisposable`. You should look up how to handle Disposable things (including the `using` keyword). In general, the design of `SqlConnection` wants you to instantiate a new connection every time you want to connect. Instead of having a single, reusable private field (like you do now), create a new instance at the top of your `button1_Click` method and dispose it at the bottom – Flydog57 May 31 '21 at 20:51
  • 3
    And use Parameters instead of string concatenation. – Dale K May 31 '21 at 22:01
  • [What are good ways to prevent SQL injection?](https://stackoverflow.com/questions/14376473/what-are-good-ways-to-prevent-sql-injection) –  Jun 01 '21 at 00:08

1 Answers1

1

I think the problem seems to be the single quotes around Table Name. If that's not the issue sometimes it is better to write the full SQL Command statement. Try it like this:

INSERT INTO TableName (column1, column2 ...) 
VALUES ("value1", "value2"...)

If you would like to check out a good resource I am attaching a link: https://www.codeproject.com/Questions/459498/SQL-INSERT-statements-in-Csharp

Have a nice day!

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Deivid Teta
  • 19
  • 1
  • 3
  • Your assumption is correct, but your _quotes_ are wrong in your example, the SQL should have _single quotes_ not double. Double quotes are for strings in the C# context, but in the SQL statement they need to be single. – Chris Schaller Jun 01 '21 at 05:33
  • 1
    Your assumption is correct, but removing the quotes won't help in this special case because the table is literally named `Table` which is a reserved word in MSSQL. To use it as an identifier (which btw. is quite a bad idea), you have to enclose it in brackets like `INSERT INTO [Table] ... ` – derpirscher Jun 01 '21 at 07:09