0

I got OleDbException: Syntax error in INSERT INTO statement. I think that my INSERT INTO statement is good. Parameters have good data type so it's not problem. Does someone maybe know what's the problem?

        OleDbCommand command = new OleDbCommand();
        command.Connection = conn;
        command.CommandType = CommandType.Text;
        command.CommandText = String.Format("INSERT INTO Employees" +
            " (ID, Company, Last Name, First Name, E-mail Address, Job Title, Business Phone, Home Phone" +
            ", Mobile Phone, Fax NUmber, Address, City, State/Province, ZIP/Postal Code, Country/Region, Web Page, Notes)" +
            " Values ('{0}', '{1}','{2}','{3}','{4}','{5}'," +
            "'{6}','{7}','{8}','{9}','{10}','{11}','{12}','{13}','{14}','{15}','{16}')", iD,kompanija,prezime,ime,email,
           zvanje,busTelefon,telefon,mobTelefon,fax,adresa,grad,okrug,postanskiBroj,zemlja,web,beleska);               zvanje,busTelefon,telefon,mobTelefon,fax,adresa,grad,okrug,postanskiBroj,zemlja,web,beleska);

        conn.Open();
        command.ExecuteNonQuery();
        conn.Close();

Error message: enter image description here

UDATE SQL:

        OleDbCommand command = new OleDbCommand();
        command.Connection = conn;
        command.CommandType = CommandType.Text;
        string cmdText = String.Format(@"UPDATE TABLE Employees " +
                        "SET" +
                        " Company='" + kompanija + "'," +
                        " [Last Name]='" + prezime + "'," +
                        " [First Name]='" + ime + "'," +
                        " [E-mail Address]='" + email + "' ," +
                        " [Job Title]='" + zvanje +"'," +
                        " [Business Phone]='" + busTelefon + "'," +
                        " [Home Phone]='" + telefon + "'," +
                        " [Mobile Phone]='" + mobTelefon + "'," +
                        " [Fax Number]='" + fax + "'," +
                        " Address='" + adresa + "'," +
                        " City='" + grad + "'," +
                        " [State/Province]='" + okrug + "'," +
                        " [ZIP/Postal Code]='" + postanskiBroj + "'," +
                        " [Country/Region]='" + zemlja + "'," +
                        " [Web Page]='" + web + "'," +
                        " Notes='" + beleska + "' WHERE ID="+iD);
        command.CommandText = cmdText;

        conn.Open();
        command.ExecuteNonQuery();
        conn.Close();

And this SQL don't work. The same error like previous.

Improve this question
2
  • You also need to post the error message. Commented May 27, 2017 at 12:07
  • What type of DB is this? What is displayed when you click on the "view Details" of that image? Commented May 27, 2017 at 12:18

1 Answer 1

Reset to default
2

When your fields names contain a space or other misleadings characters like the / (division operator) you need them to be enclosed in square brackets

 string cmdText = @"INSERT INTO Employees
                  (ID, Company, [Last Name], [First Name], [E-mail Address],
                   .., [State/Province], ....) VALUES (....)";

Also you are not using parameters in your query. String.Format is just another type of string concatenation that cannot protect you by invalid inputs (for example, try to use a single quote in your lastname value) and cannot save your code from Sql Injection vulnerability.

You should always use parameterized queries

string cmdText = @"INSERT INTO Employees ( your_field_list_comma_sep)
                  VALUES (@id, @company, @lastname, @firstname, 
                  ......)";

OleDbCommand cmd = new OleDbCommand(cmdText, conn);
cmd.Parameters.Add("@id", OleDbType.Integer).Value = iD;
cmd.Parameters.Add("@company", OleDbType.VarWChar).Value = kompanija;
cmd.Parameters.Add("@lastname", OleDbType.VarWChar).Value = prezime;
cmd.Parameters.Add("@firstname", OleDbType.VarWChar).Value = ime;
....
// add all the other parameters with their name and type
....
cmd.ExecuteNonQuery();
Improve this answer
Sign up to request clarification or add additional context in comments.

12 Comments

First suggestion don't work. I will try with parameterized queries.
Yeah I have the same error when I tried to put fields with space in square brackets
You should put the square brackets also around the [State/Province] otherwise the / is considered the division operator, Not quite right in an INSERT statement
Isn't your ID generated by the db? Also you're passing it between single quotes, which indicates a string for sql server
I can't see any syntax error in your update code. But remember, if any of your inputs data contains a single quote you are doomed with another syntax error.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.