-2

i am trying to add data to my ms access database I watch almost all yt tutorials but its still gives me an error on run time

 private void btn_add_Click(object sender, EventArgs e)
        {
            try
            {
                conn.Open();
                OleDbCommand cmd = conn.CreateCommand();
                cmd.Connection = conn;
                cmd.CommandText = "insert into Employee(Employee ID, Firstname, Lastname, Email, Username, Password)values('" + txt_employee_id.Text + "','" + txt_employee_firstname.Text + "','"
                + txt_employee_lastname.Text + "','" + txt_employee_email.Text + "','" + txt_employee_username.Text + "','" + txt_employee_password.Text + "')";
                cmd.ExecuteNonQuery();
                MessageBox.Show("Record Save", "Access Connected", MessageBoxButtons.OK, MessageBoxIcon.Information);
                conn.Close();
            }
            catch(Exception ex)
            {
                MessageBox.Show(ex.Message, "Access Connected", MessageBoxButtons.OK, MessageBoxIcon.Information);
                conn.Close();
            }
            
        }
Daniel A. White
  • 187,200
  • 47
  • 362
  • 445
XDponce
  • 7
  • 1
  • 6
    use a prepared statement. don't use string concat or your code is vulnerable to sql injection attacks! – Daniel A. White May 06 '23 at 14:27
  • The following may be helpful: https://stackoverflow.com/a/69638011/10024425 – Tu deschizi eu inchid May 06 '23 at 14:34
  • 2
    Your code is open to [SQL injection attacks](https://bobby-tables.com/). You should use parameterized queries instead. Also: NEVER store passwords in plain in a database. Use salted hashes instead. – Klaus Gütter May 06 '23 at 14:39
  • If the given advices didn't help you might tell us what error you get just saying "still gives me an error on run time" isn't that helpful we need the actual error to work with and help you. – Ralf May 06 '23 at 14:47
  • 2
    It apparently gives "an error". Usually such an error (exception) gives some details about the issue. Please add those to your post, but first use parameters - that possibly solves the error already – Hans Kesting May 06 '23 at 15:26

1 Answers1

1

Column names with spaces need to be enclosed in square brackets. Employee ID

cmd.CommandText = "INSERT INTO Employee([Employee ID], Firstname, Lastname, Email, Username, Password) VALUES (?, ?, ?, ?, ?, ?)";
cmd.Parameters.AddWithValue("@p1", txt_employee_id.Text);
cmd.Parameters.AddWithValue("@p2", txt_employee_firstname.Text);
cmd.Parameters.AddWithValue("@p3", txt_employee_lastname.Text);
cmd.Parameters.AddWithValue("@p4", txt_employee_email.Text);
cmd.Parameters.AddWithValue("@p5", txt_employee_username.Text);
cmd.Parameters.AddWithValue("@p6", txt_employee_password.Text);
cmd.ExecuteNonQuery();

And then use parameterized queries instead of concatenating strings to avoid SQL injection attacks.

The ? is a placeholder for parameter values. The parameter value will be passed in at runtime.

And the @p1, @p2, @p3, @p4, @p5, and @p6 are the parameter names, which are associated with their corresponding parameter values using the AddWithValue() method.

This is a common way of preparing SQL statements to avoid SQL injection attacks. You can read more about the SQL Parameters Property

Rand Random
  • 7,300
  • 10
  • 40
  • 88
Wahlstrommm
  • 684
  • 2
  • 7
  • 21
  • 1
    Do not use AddWithValue: [1](https://www.dbdelta.com/addwithvalue-is-evil/), [2](http://chrisrickard.blogspot.com/2007/06/addwithvalue-is-evil.html), [3](https://blogs.msmvps.com/jcoehoorn/blog/2014/05/12/can-we-stop-using-addwithvalue-already/). – Alexander Petrov May 06 '23 at 15:31
  • [cmd.Parameters.Add\(String parameterName, Object value\) is deprecated now. Instead use cmd.Parameters.AddWithValue\(String parameterName, Object value\)](https://stackoverflow.com/a/29554589/724039) – Luuk May 06 '23 at 16:37
  • @Luuk: `Add` is not deprecated - read the comments and the official [documentation](https://learn.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlparametercollection.add?redirectedfrom=MSDN&view=dotnet-plat-ext-7.0#System_Data_SqlClient_SqlParameterCollection_Add_System_String_System_Object_). However, I think that _broccoli_ is deprecated. – Tu deschizi eu inchid May 06 '23 at 16:42
  • [brocolli](https://i.stack.imgur.com/xSMYy.png) ? And I am not sure what's wrong with the [documentation of AddWithValue](https://learn.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlparametercollection.addwithvalue?view=dotnet-plat-ext-7.0), it seems like no warning there that it should not be used. – Luuk May 06 '23 at 17:53
  • I'm still having the same error – XDponce May 06 '23 at 22:26
  • 2
    @XDponce but you still haven't told us *what* that error is – Hans Kesting May 09 '23 at 08:37