0

I have a error like this while adding data to SQL table

Additional information: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'id,Member Name,Contact No,Address,Reg.date)VALUES('12312','asdfgnm','zxcvbn','xc' at line 1

My code is like this:

public partial class frmhome : Form
    {
        public frmhome()
        {
            InitializeComponent();
        }


        //Create the instant variable 
        MySqlConnection mysqlConn;
        MySqlDataAdapter mysqlAdapt;
        MySqlDataReader mysqlRead;
        MySqlCommand mysqlComm;

        //Create the Memory Variable         
        String qry;
        //add member
        private void Home_Load(object sender, EventArgs e)
        {
            panelmemreg.Visible = true;
            panelAddbook.Visible = false;
            panelissue.Visible = false;
            panelres.Visible = false;


            //Using Error handler tool 
            try
            {
                //Create the Memory Variable 
                string srv, db, user, pass;
                //Assigning the values 
                srv = "localhost"; db = "lms"; user = "root"; pass = "";
                //assigning the command 
                qry = "SERVER=" + srv + ";" + "DATABASE=" + db + ";" + "UID=" + user + ";" + "PASSWORD=" + pass + ";";
                mysqlConn = new MySqlConnection(qry);
            }
            catch (Exception ex)
            {
                //Display Error Message 
                MessageBox.Show("Couldn't connect :" + ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
            }

        }

        private void btnAdd_Click(object sender, EventArgs e)
        {
            //using the error handler tool 
            try
            {

                //Set the sql statement 
                qry = "INSERT INTO member (Member id,Member Name,Contact No,Address,Reg.date)VALUES('" + txtbid.Text + "','" + txtbname.Text + "','" + txtbtelno.Text + "','" + txtbaddr.Text + "','" + dtpreg.Value.Date + "')";
                //Open the connection 
                mysqlConn.Open();
                //Set the statement in command control 
                mysqlComm = new MySqlCommand(qry, mysqlConn);
                //Execute the statement 
                mysqlComm.ExecuteNonQuery();
                String msg3 = "Add new member Successfully";
                lblStatus.Text = msg3;

            }


            finally
            {
                //close the connection 
                mysqlConn.Close();
            }

        }
Klaus Gütter
  • 6,283
  • 4
  • 24
  • 30
chamath_sh
  • 1
  • 1
  • Gah, the sql injection hole, it burns us! – Joel Coehoorn Dec 01 '18 at 01:32
  • Please read https://stackoverflow.com/questions/601300/what-is-sql-injection – NineBerry Dec 01 '18 at 01:34
  • Please share the **exact** value of `qry`. – mjwills Dec 01 '18 at 02:00
  • 1
    Possible duplicate of [What are good ways to prevent SQL injection?](https://stackoverflow.com/questions/14376473/what-are-good-ways-to-prevent-sql-injection) – mjwills Dec 01 '18 at 02:00
  • The column names have spaces. You need to wrap them between ``` character. such as `\`Member id\`,\`Member Name\`` – Chetan Ranpariya Dec 01 '18 at 03:13
  • The SQL injection vulnerability is also causing this problem. Some other tips... The MySqlConnection, MySqlDataAdapter, MySqlDataReader and MySqlCommand are all IDisposable so each should be in a `using` block. Once you've done that, you don't need to Close things because it will be closed by the implicit Dispose as it exits the block. – Richardissimo Dec 01 '18 at 07:20

0 Answers0