0

MySql.Data.MySqlClient.MySqlException: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order' at line 1'"

my get and post methods in my web api are not working but all the other get methods for the other classes are working and they apply the same principle i get the error form above

my code is as follows:

 public long saveOrder(Order o)
    {
        //creating connection string and linking it to the db
        MySql.Data.MySqlClient.MySqlConnection connection;
        string connString = ConfigurationManager.ConnectionStrings["dblocal"].ConnectionString;
        connection = new MySql.Data.MySqlClient.MySqlConnection();

        try
        {
            //opening the connection
            connection.ConnectionString = connString;
            connection.Open();

            String strsql = "INSERT INTO order (user_id_order,order_date,order_status,product_id_order,car_regplate,estimated_arrival,supplier_id_order,driver_id_order) VALUES(" + o.User_Id_Order + ",'" + o.Order_Date.ToString("yyyy-MM-dd HH:mm:ss") + "','" + o.Order_Status + "'," + o.Product_Id_Order + ",'" + o.Car_RegPlate + "','" + o.Estimated_Arrival.ToString("yyyy-MM-dd HH:mm:ss") + "'," + o.Supplier_Id_Order + "," + o.Driver_Id_Order + ")";

            MySql.Data.MySqlClient.MySqlCommand command = new MySql.Data.MySqlClient.MySqlCommand(strsql, connection);

            command.ExecuteNonQuery();

            long cId = command.LastInsertedId;

            return cId;


        }
        catch (MySql.Data.MySqlClient.MySqlException e)
        {

            throw e;

        }
        finally
        {

            connection.Close();

        }

    }

    //helper method for GET
    //function to retrieve a user from the db using select statement
    public Order getOrder(long id)
    {
        //creating connection string and linking it to the db
        MySql.Data.MySqlClient.MySqlConnection connection;
        string connString = ConfigurationManager.ConnectionStrings["dblocal"].ConnectionString;
        connection = new MySql.Data.MySqlClient.MySqlConnection();

        try
        {
            //opening connection
            connection.ConnectionString = connString;
            connection.Open();

            Order o = new Order();

            //declaration of reader
            MySql.Data.MySqlClient.MySqlDataReader reader = null;

            String strsql = "";

            //select statement to select what we are retrieving
            strsql = "SELECT * FROM order WHERE order_id = " + id.ToString();

            //command for connection
            MySql.Data.MySqlClient.MySqlCommand command = new MySql.Data.MySqlClient.MySqlCommand(strsql, connection);

            //retrieves what comes back form execute reader
            reader = command.ExecuteReader();

            if (reader.Read())
            {
                //gets the first integer that came back and assigns it to user id
                o.Order_Id = reader.GetInt32(0);
                o.User_Id_Order = reader.GetInt32(1);
                o.Order_Date = reader.GetDateTime(2);
                o.Order_Status = reader.GetString(3);
                o.Product_Id_Order = reader.GetInt32(4);
                o.Car_RegPlate = reader.GetString(5);
                o.Estimated_Arrival = reader.GetDateTime(6);
                o.Supplier_Id_Order = reader.GetInt32(7);
                o.Driver_Id_Order = reader.GetInt32(8);

                return o;

            }
            else
            {
                return null;
            }


        }
        catch (MySql.Data.MySqlClient.MySqlException e)
        {

            throw e;

        }
        finally
        {

            connection.Close();

        }

    }

    //helper method for GET
    //function to retrieve all users from the db using select statement
    public ArrayList getOrders()
    {
        //creating connection string and linking it to the db
        MySql.Data.MySqlClient.MySqlConnection connection;
        string connString = ConfigurationManager.ConnectionStrings["dblocal"].ConnectionString;
        connection = new MySql.Data.MySqlClient.MySqlConnection();

        try
        {
            //opening the connection
            connection.ConnectionString = connString;
            connection.Open();

            ArrayList oArraylist = new ArrayList();

            //declaration of reader
            MySql.Data.MySqlClient.MySqlDataReader reader = null;

            String strsql = "";

            //select statement to select what we are retrieving
            strsql = "SELECT * FROM order";

            //command for connection
            MySql.Data.MySqlClient.MySqlCommand command = new MySql.Data.MySqlClient.MySqlCommand(strsql, connection);

            //retrieves what comes back form execute reader
            reader = command.ExecuteReader();

            while (reader.Read())
            {
                Order o = new Order();

                //gets the first integer that came back and assigns it to user id
                o.Order_Id = reader.GetInt32(0);
                o.User_Id_Order = reader.GetInt32(1);
                o.Order_Date = reader.GetDateTime(2);
                o.Order_Status = reader.GetString(3);
                o.Product_Id_Order = reader.GetInt32(4);
                o.Car_RegPlate = reader.GetString(5);
                o.Estimated_Arrival = reader.GetDateTime(6);
                o.Supplier_Id_Order = reader.GetInt32(7);
                o.Driver_Id_Order = reader.GetInt32(8);

                oArraylist.Add(o);

            }

            return oArraylist;


        }
        catch (MySql.Data.MySqlClient.MySqlException e)
        {

            throw e;

        }
        finally
        {

            connection.Close();

        }

    }
usersean
  • 1
  • 1
    If order is your table name, it is possible, that there is the problem, because ORDER is a reserved keyword in SQL. Try to enclosure your table name in "[]" like this: "INSERT INTO [order] ..." – TheTanic Aug 10 '21 at 08:00
  • In Addition take a look here, to preven sql injections: https://stackoverflow.com/questions/14376473/what-are-good-ways-to-prevent-sql-injection – TheTanic Aug 10 '21 at 08:02
  • https://stackoverflow.com/questions/14376473/what-are-good-ways-to-prevent-sql-injection – mjwills Aug 10 '21 at 08:05
  • Or enclose the `order` table in this ` - a backtick like this `\`order\`` – Kuro Neko Aug 10 '21 at 08:11
  • You should also use parametrized queries, that would avoid error caused because of string concatenation (and SQL injection vulnerabilities) – Cleptus Aug 10 '21 at 08:19
  • 1
    Does this answer your question? [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) It's for PHP but the principle is the same: **use parameters** – Charlieface Aug 10 '21 at 12:30
  • Also you should dispose your connection and command with `using` blocks – Charlieface Aug 10 '21 at 12:30

0 Answers0