0

I am creating a page which adds a product to my SQL table. I have seen and modified a snippet of code for my need.

    string contentType = ImageUpld.PostedFile.ContentType;
    using (Stream fs = ImageUpld.PostedFile.InputStream)
    {
        using (BinaryReader br = new BinaryReader(fs))
        {
            byte[] bytes = br.ReadBytes((Int32)fs.Length);
            SqlConnection conn = new SqlConnection(WebConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
            SqlCommand cmd = new SqlCommand("INSERT INTO Products (Name, Image, Price, Desc, Author, Preview, ContentType ) VALUES ('" + Nametxt.Text + "', '" + bytes + "', '" + Pricetxt.Text + "', '" + Desctxt.Text + "', '" + Session["UserName"] + "', '" + Previewtxt.Text + "')", conn);
            cmd.CommandType = CommandType.Text;
            using (conn)
            {
                conn.Open();
                SqlDataReader rdr = cmd.ExecuteReader();
                conn.Close();
            }
        }
    }

Visual Studio highlights the cmd.ExecuteReader(); then says:

An exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll but was not handled in user code

Additional information: Incorrect syntax near the keyword 'Desc'.

Improve this question
3
  • What is the value of Desctxt.Text at the time of the error? Commented Nov 17, 2016 at 17:06
  • 7
    I smell sql injection. Change your query to a parameterized query. stackoverflow.com/questions/7505808/… Commented Nov 17, 2016 at 17:07
  • 3
    desc is a SQL reserved word. Try [desc] (or better yet don't use reserved words as field names). Commented Nov 17, 2016 at 17:07

1 Answer 1

Reset to default
1

desc is a keyword; place in square brackets

e.g. [desc]

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.