1 
insertBankMas = ""; 
insertBankMas = "INSERT INTO IntNotes (Room,Size) VALUES('" + txtRoom.Text + "','" + txtSize.Text + "')";    
PbdataAdapter = new OleDbDataAdapter(insertBankMas, PbSQLConnection);
openconnection();

insertcommand.ExecuteNonQuery();
MessageBox.Show("Room is Added");

Please correct me...

Improve this question
2
  • Welcome to StackOverflow! You should tell us the details of your syntax error. And your code is wide open for SQL injection! Commented Mar 13, 2016 at 10:37
  • And is your Size column of numeric or string type? If it's numeric, remove the ' from the ...'" + txtSize.Text + "'.... Commented Mar 13, 2016 at 10:40

3 Answers 3

Reset to default
2

SIZE is a reserved keyword for Microsoft OleDb provider. You need to use it with square brackets like [SIZE]. As a best practice, change it to non-reserved word. And since your sql is an INSERT query, you don't need OleDbDataAdapter. This structure will use when you get data from your database. Just use ExecuteNonQuery to execute your insert query.

Bur more important

You should always use parameterized queries. This kind of string concatenations are open for SQL Injection attacks.

Also use using statement to dispose your OleDbConnection and OleDbCommand automatically instead of calling Close or Dispose methods manually.

using(var connection = new OleDbConnection(conString))
using(var cmd = connection.CreateCommand())
{
    cmd.CommandText = "INSERT INTO IntNotes (Room, [Size]) VALUES(?, ?)";
    cmd.Parameters.Add("?", OleDbType.VarWChar).Value = txtRoom.Text;
    cmd.Parameters.Add("?", OleDbType.VarWChar).Value = txtSize.Text;
    // I assume your column types mapped with VarWChar
   
    connection.Open();
    int effectedRows = cmd.ExecuteNonQuery();
    if(effectedRows > 0)
    {
       MessageBox.Show("Room is Added");
    }   
}

By the way, I strongly suspect your Size column should(?) be some numeric value based on it's name. You might wanna change it's column type instead.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

The error is probably happening because the data that you enter in textboxes contains special characters that need to be escaped. Even if the data does not need to be escaped you must not build sql commands using string concatenation because that can cause sql injection attacks. Instead you should use parameterized statements and pass the user data as parameters.

See this article for more details: SQL Injection Attacks and Some Tips on How to Prevent Them

Improve this answer

Comments

0

My Sincere thanks to everyone, reminded me SIZE is a keyword. Its WORKING, When I changed the SIZE field name to ROOMSIZE

Thanks Ram

Improve this answer

1 Comment

It's probably better to delete this post and just accept Soner's answer by clicking on the check mark next to it.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.