0

I have a very basic and beginner problem. I got a 5 line code and I got exception in that.

My database : Table -> id,name

It has one table and two columns inside the table viz. id and name. I made a form.

Here is my code:

private void button1_Click(object sender, EventArgs e)
{
    SqlConnection conn = new SqlConnection("Data Source=(LocalDB)\\v11.0;AttachDbFilename=\"C:\\Users\\Nicki\\documents\\visual studio 2012\\Projects\\WindowsFormsApplication2\\WindowsFormsApplication2\\Database2.mdf\";Integrated Security=True");
    conn.Open();
    SqlCommand command = new SqlCommand("INSERT INTO Table (id,name) VALUES (1,'" + textBox1.Text + "')", conn);
    command.ExecuteNonQuery();
    conn.Close();

}

I get the following exception on running the code:

It says that I have syntax error even though the syntax error is correct. Any help would be appreciated.

Thankyou!

user1735921
  • 1,359
  • 1
  • 21
  • 46
  • 5
    Table and Name are probably keywords. I would avoid using them. Also, use parameters to avoid sql injection. – LarsTech Nov 18 '14 at 20:25
  • @LarsTech I was wondering this too. I've personally never tried creating a table named `Table` and I can only envision it not being legal. Can anyone confirm? – Drew Kennedy Nov 18 '14 at 20:26
  • 1
    Try to embed your names between [...] – labilbe Nov 18 '14 at 20:27
  • 1
    There is a very cute [xkcd](http://xkcd.com/327/) that explains this line of your code: `'" + textBox1.Text + "'` – Sergey Kalinichenko Nov 18 '14 at 20:27
  • 1
    If you really want to use 'Table' as the name of you table in SQL server, wrap it in square brackets -- ie: `SqlCommand command = new SqlCommand("INSERT INTO [Table] (id,name) VALUES (1,'" + textBox1 + "')", conn);` – codechurn Nov 18 '14 at 20:28
  • Worked now when I used square brackets. Damn.. this was really dumb. – user1735921 Nov 18 '14 at 20:36
  • 1
    Please take LarsTech's advice and do not use keywords as identifiers. `Table` is a terrible name anyway. Also study [SQL injection](http://stackoverflow.com/questions/228476/) as your command has a serious mistake. – Dour High Arch Nov 18 '14 at 20:43
  • Please oh please learn about SQL injection and the 'using' statement – n8wrl Nov 18 '14 at 20:55
  • Also worth noting for a new dev- You want to test your SQL queries in SQL Management Studio if possible- this would have flagged immediately as "Table" would have been blue and the query wouldn't have executed without a syntax error. – Nyra Nov 18 '14 at 20:56

1 Answers1

3

You should use a using clause to properly manage resources and use parameters to avoid security problems. It is not recommended to use reserved words as "table". Try this:

const string commandText = "INSERT INTO [Table] (id,name) VALUES (1,@Name)";

using (SqlConnection connection = new SqlConnection(ConnectionString))
{
    SqlCommand command = new SqlCommand(commandText, connection);
    command.Parameters.Add("@Name", SqlDbType.VarChar);
    command.Parameters["@Name"].Value = textBox1.Text;

    connection.Open();
    var rowsAffected = command.ExecuteNonQuery();
}
Jose M.
  • 1,296
  • 17
  • 22