0

I have some problem when I want to insert data into database ACCESS using C#

The message error is:

System.data.OleDb.OleDbException (0x80040E14): error de syntaxe dans l'instruction INSERT INTO...........

Does someone know what the problem is?

Here is my code:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Data.OleDb;
using System.Windows.Forms;

namespace First_cnx
{
    public partial class Form2 : Form
    {
        private OleDbConnection connection = new OleDbConnection();
        public Form2()
        {
            InitializeComponent();
            connection.ConnectionString = @"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\Users\Reeda\Documents\Warface.accdb;
Persist Security Info=False;";
        }

        private void save_Click(object sender, EventArgs e)
        {
            try
            {
                connection.Open();
                OleDbCommand command = new OleDbCommand();
                command.Connection = connection;
                command.CommandText = String.Format(@"INSERT INTO [membre] (Player, Password, Gun, Claass) VALUES('" + player.Text + "', '" + password.Text + "', '" + gun.Text + "', '" + kind.Text + "')");

                command.ExecuteNonQuery();
                MessageBox.Show("Data Saved !");
                connection.Close();
            }
            catch (Exception ex) {
                MessageBox.Show("Error " + ex);
            }
        }
    }
}
rene
  • 41,474
  • 78
  • 114
  • 152
Reda
  • 57
  • 1
  • 1
  • 7

2 Answers2

4

Besides on your insert values, I think this happens because Password is a reserved keyword in OLE DB Provider. You should use it with square brackets like [Password]. The best solution is to change your column name to a non-reserved word.

But more important

You should always use parameterized queries. This kind of string concatenations are open for SQL Injection attacks. You don't need to use String.Format in your case as well since you didn't format your string.

Also use using statement to dispose your OleDbConnection and OleDbCommand.

using(OleDbConnection connection = new OleDbConnection(conString))
using(OleDbCommand command = connection.CreateCommand())
{
    // Set your CommandText property.
    // Define and add your parameter values.
    // Open your OleDbConnection.
    // Execute your query.
}
Community
  • 1
  • 1
Soner Gönül
  • 97,193
  • 102
  • 206
  • 364
  • I think he uses String.Format to avoid string Concatenation which would take more memory space and is slower. Even if this usage of String.Format isn't the usual way. – CptVince Dec 31 '14 at 11:21
  • 1
    @CptVince Argh, maybe.. He saved 3 concatenation, huh? :) Still think it is unnecessary. – Soner Gönül Dec 31 '14 at 11:35
  • i don't know if this is right but i use even for this little concatenation.[code]String.Format(@"INSERT INTO [membre] (Player, [Password], Gun, Claass) VALUES('{0}', '{1}', '{2}', '{3}')", player.Text, password.Text, gun.Text, kind.Text);[/code] With normal String Concatenation it would be with the + ", " + thing over 9 concatenations i think. – CptVince Dec 31 '14 at 13:49
  • 1
    @CptVince When you use parameterized queries, you will not need to format your string ;) Use them, **USE THEM ALWAYS**! – Soner Gönül Dec 31 '14 at 14:03
  • Jap sorry you are right i just thought about the concatenation. – CptVince Dec 31 '14 at 14:38
0

Password is a reserved words in Access. Try the Query like this:

command.CommandText = String.Format(@"INSERT INTO [membre] (Player, [Password], Gun, Claass) VALUES('" + player.Text + "', '" + password.Text + "', '" + gun.Text + "', '" + kind.Text + "')");
CptVince
  • 89
  • 1
  • 9