System.Data.SqlClient.SqlException: 'Incorrect syntax near ')'.' / cmd.ExecuteNonQuery()

Question

Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
    If NamaBukuBox.Text = " " Or PngrngBukuBox.Text = " " Or PnrbtBukuBox.Text = " " Or JmlhBukuBox.Text = " " Then
        MsgBox("Isi Semua Kolom Informasi")
    Else
        Con.Open()
        Dim query = "Insert into BukuTbl values('" & NamaBukuBox.Text & "','" & PngrngBukuBox.Text & "','" & PnrbtBukuBox.Text & "'," & JmlhBukuBox.Text & ")"
        Dim cmd As SqlCommand
        cmd = New SqlCommand(query, Con)
        cmd.ExecuteNonQuery() '** this line is error
        MsgBox("Buku Telah Ditambahkan")
        Con.Close()
    End If
End Sub

I don't know what to do what makes the error and how to solve it?

Find out how to pass values through parameters, then your issue will probably vanish. What exactly *is* the value of that `query`? — Hans Keﬆing, Nov 09 '22 at 07:01
It's always frustrating when people post about a syntax error in their SQL code and then don't bother to post the SQL code. It usually means that they haven't even looked themselves. The VB code that builds your SQL code is not the SQL code. If we know what the actual code is then we can tell you what's wrong with it. That said, if you do things the proper way and use parameters, as suggested, then the issue is likely to go away. There's relevant information all over but you can see my take [here](http://jmcilhinney.blogspot.com/2009/08/using-parameters-in-adonet.html). — jmcilhinney, Nov 09 '22 at 07:13

score 1 · Answer 1 · answered Nov 09 '22 at 07:24

1

This is a very risky way of writing code. User input would be inserted directly into SQL. If your user inputs any apostrophe, your SQL will fail.

For example, try entering Abc's into the NamaBukuBox text box. Check your resulting SQL. In the worst case scenario, a user could inject SQL and delete data and tables.

In your case, it is likely the input from the user that is causing the SQL to fail. Please use parameters to input user data into SQL. Do not concatenate user input direct in SQL. You SQL should look something like:

Insert into BukuTbl values(@NamaBukuBox,@PngrngBukuBox,@PnrbtBukuBox,@JmlhBukuBox)

answered Nov 09 '22 at 07:24

navigator

1,678
16
29

Issues are bigger than potential failure, also see "SQL Injection". There's an xkcd on this, search for "Bobby Tables". – Craig Nov 09 '22 at 16:18
@Craig: Yes, which is why I mentioned SQL Injection. – navigator Nov 10 '22 at 08:43

System.Data.SqlClient.SqlException: 'Incorrect syntax near ')'.' / cmd.ExecuteNonQuery()

1 Answers1