Cmd executenonquery

Question

This my work. The problem occurs with cmd.ExecuteNonQuery.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Incorrect syntax near the keyword 'Order'.

Source Error: Line 44:cmd.ExecuteNonQuery();

protected void Button2_Click(object sender, EventArgs e)
{
    SqlCommand cmd = new SqlCommand("insert into Order values('" +DropDownList1.SelectedValue+"','" +DropDownList2.SelectedValue+ "','" +txtQuantity.Text+ "','" +DropDownList3.SelectedValue+ "','" +TextBox1.Text+ "')", con);
    cmd.ExecuteNonQuery();
    con.Close();
    DropDownList1.SelectedValue= "";
    DropDownList2.SelectedValue = "";
    txtQuantity.Text = "";
    DropDownList3.SelectedValue= "";
    TextBox1.Text = "";
}

Please consider removing the SQL injection vulnerability. Sample code like this is scary even in prototype code, because it can make it into production. It is like leaving sticks of dynamite laying around on your workbench... — DVK, May 06 '16 at 18:13

Rion Williams · Accepted Answer · 2016-05-06T18:14:37.797

Be Careful With Keywords

It's likely that SQL sees your ORDER table and expects it to be an ORDER BY statement. Consider wrapping your table name in square braces to resolve this :

INSERT INTO [Order] VALUES(...)

Parameterization, Not Concatenation

Additionally, you should consider using parameters instead of string concatenating to build your query, it can prevent common syntax errors and protect you from nastiness like SQL Injection attacks :

protected void Button2_Click(object sender, EventArgs e)
{
     // Build your query
     var query = "INSERT INTO [Order] VALUES(@V1,@V2,@Quantity,@V3,@V4)";
     // Build your command
     using(var cmd = new SqlCommand(query,con))
     {
          // Consider explicitly opening your connection if it isn't open
          con.Open();

          // Add your parameters
          cmd.AddWithValue("@V1",DropDownList1.SelectedValue);
          cmd.AddWithValue("@V2",DropDownList2.SelectedValue);
          cmd.AddWithValue("@Quantity",txtQuantity.Text);
          cmd.AddWithValue("@V3",DropDownList3.SelectedValue);
          cmd.AddWithValue("@V4",TextBox1.Text);
          // Execute your query
          cmd.ExecuteNonQuery();
          // Clear your parameters and other stuff here
     }
}

Kay Lee · Answer 2 · 2016-05-07T23:26:47.730

-1

You have to specify the names of 5 columns to insert the 5 values. You only wrote 5 values but to be inserted to where?

try something like this,

insert order (column1, column2, column3, column4, column5) values(your code here)

And you'd better search on internet for further.

edited May 07 '16 at 23:26

answered May 07 '16 at 11:59

Kay Lee

922
1
12
40

Column names are not mandatory: https://en.wikipedia.org/wiki/Insert_%28SQL%29#Basic_form – user247702 May 10 '16 at 18:03
ok, you're right for some point. However, I tried to support with basic knowledge. Did I do a bad thing worthy down vote? All people need basic knowledges in their starting. And wipipedia is not suitable to be linked always. – Kay Lee May 10 '16 at 22:54
https://msdn.microsoft.com/en-us/library/ms174335.aspx If a column is not in column_list, the Database Engine must be able to provide a value based on the definition of the column; otherwise, the row cannot be loaded. The Database Engine automatically provides a value for the column if the column: Has an IDENTITY property. The next incremental identity value is used. Has a default. The default value for the column is used. Has a timestamp data type. The current timestamp value is used. Is nullable. A null value is used. Is a computed column. The calculated value is used. – Kay Lee May 10 '16 at 23:11
I downvoted because your answer does not solve the problem stated in the question. – user247702 May 11 '16 at 00:02
That's not the role of downvote. – Kay Lee May 11 '16 at 00:06

Cmd executenonquery

2 Answers2