0

I'm trying to insert a record into a database using VB.NET using this line but I am given a syntax error? I don't see anything wrong with it I think?

SQL = ("INSERT INTO Orders (Items, CustName, Table, Cost, Price) 
      VALUES ('" & ItemsString & "', '" & CustName & "', '" & Table & 
      "', '" & Cost & "', '" & Price & "');")
Improve this question
7
  • 3
    You have a syntax error in your SQL code and you have decided to not show us your SQL code, which suggests that you haven't even looked at it yourself, which means that you haven't even tried to solve the problem. The VB code that constructs your SQL code is not your SQL code. Look at the actual SQL code to see what's wrong. Further to that, you are creating your own problem by building your SQL that way. DO NOT use string concatenation to insert values into SQL code. Use a parameterised query and you'll avoid this and other issues, including SQL injection. Commented Jan 18, 2022 at 9:28
  • @user17922293 I have asked friends and searched the web for about 2 hours so far. I shall attach all code now. I'm new to using SQL in vb.net so am not sure on what to do to make code 100% Commented Jan 18, 2022 at 9:32
  • 1
    We don't need all your code. We don't need ANY of your VB code. Please read the words I wrote. The issue is in your SQL code so the SQL code would be what we need to see in order to determine the actual issue. We could make some guesses based on experience but we should not have to guess when you have the relevant information in front of you. Further, you shouldn't try to fix this issue anyway. You should use a parameterised query. THAT is what you should be searching for information on, which I'm fairly sure you haven't done up to now. Commented Jan 18, 2022 at 9:38
  • 3
    Please tag your RDBMS. By concatenating your data directly into your SQL query you are at risk of SQL Injection, but also data concatenated can also break your code eg if any string contains quotes which you will need to escape/double depending on your RDBMS. Ideally you should be using a parameterized query that resolves all these issues. Commented Jan 18, 2022 at 9:57
  • 1
    How can I explain SQL injection without technical jargon? | Information Security Stack Exchange Commented Jan 18, 2022 at 10:01

1 Answer 1

Reset to default
4

I am not sure what the parentheses outside the string are for but they are not necessary. Always use parameters. Never concatenate strings to build CommandText.

Please note that TABLE is a reserved word. Enclosed in brackets.

I had to guess the datatypes for the parameters. Check your database for correct values. Money should be Decimal.

This is what a parametrized query should look like.

Private Sub InsertRecord(ItemsString As String, CustName As String, Table As String, Cost As Decimal, Price As Decimal)
    Dim SQL = "INSERT INTO Orders (Items, CustName, [Table], Cost, Price) VALUES (@ItemsString, @CustName, @Table, @Cost, @Price);"
    Using cn As New OleDbConnection("Your conneciton string"),
            cmd As New OleDbCommand(SQL, cn)
        cmd.Parameters.Add("@ItemsString", OleDbType.VarChar).Value = ItemsString
        cmd.Parameters.Add("@CustName", OleDbType.VarChar).Value = CustName
        cmd.Parameters.Add("@Table", OleDbType.VarChar).Value = Table
        cmd.Parameters.Add("@Cost", OleDbType.Decimal).Value = Cost
        cmd.Parameters.Add("@Price", OleDbType.Decimal).Value = Price
        cn.Open()
        cmd.ExecuteNonQuery()
    End Using
End Sub
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Thank you very much for your answer mary. I am having an issue however, When I do the executenonquery, nothing seems to happen?
Ok, so i have a 'receipts' page where i have a grid of the records where the inputted data shows up. But it doesn't show up in access?
Check your connection string. Are you sure you are looking at same database? Did you copy the database to your program folder. The path to the database file should be the same as the one you are looking at.
i am looking at the database in the bin>debug folder and nothing new is there
i used the 'add data source' method to add the database to the project

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.