0

I have to execute a query of insertion in my c# code

connexion = new SqlConnection(connexionString);
             connexion.Open();
            List<int> liste = client.GetIDFichiers(1210);
            int a = 2;
            foreach (int idfichier in liste)
            {
                a++;
                using (connexion)
                {
                  using (SqlCommand sqlCmd = new SqlCommand("INSERT INTO REL_Fab3DLotFichier_Fichier3D (IDREL_Fab3DLotFichier_Fichier3D,IDFichier3D,IDFab3DLotFichier,CreePar,CreeLe,ModifiePar,DateMaj,EstActif) VALUES (" + a + "," + idfichier + "," + 17965 + "," + null + "," + null + "," + null + "," + null + "," + 1 + ")", connexion))
                    {
                        try
                        {
                            sqlCmd.ExecuteNonQuery();
                        }
                        catch (Exception ex) { MessageBox.Show(ex.ToString()); }

                    }
                }

            }

The insertion isn't working and i don't know why. the selection and delete queries worked fine. Only when i try to insert values a syntaxic error appears.

  • what is the syntax error?
  • How can i fix it?
Improve this question
4
  • Please specify the error... Commented May 3, 2013 at 9:51
  • show you table schema Commented May 3, 2013 at 9:52
  • 2
    Wow where should I start! For a start you are concatenating ints with strings and with nulls. Secondly...consider parameterized queries. Commented May 3, 2013 at 9:53
  • 1
    Always use parameterized queries. It will prevent SQL injection attacks. Commented May 3, 2013 at 10:01

3 Answers 3

Reset to default
3

what is the syntax error? and How can i fix it?

Yes. Use parameterized SQL statement.

string sql = "INSERT INTO TableName (Column1,Column2) VALUES (@value1,@value2)";
using(SqlCommand sqlCmd = new SqlCommand(sql,connection))
{
 sqlCmd.Parameters.Add("@value1",SqlDbType.Varchar,20).Value = varName1;
 sqlCmd.Parameters.Add("@value2",SqlDbType.Varchar,20).Value = DBNull.Value;
 ...
 }

Try to include not null fields to prepare INSERT SQL.

sql=@"INSERT INTO REL_Fab3DLotFichier_Fichier3D 
                (IDREL_Fab3DLotFichier_Fichier3D,
                 IDFichier3D,
                 IDFab3DLotFichier,
                 DateMaj,EstActif) 
     VALUES 
                (@IDREL_Fab3DLotFichier_Fichier3D,
                 @IDFichier3D,
                 @IDFab3DLotFichier,
                 @DateMaj,@EstActif)";
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Some of the values you are passing may be string/varchar objects and you aren't wrapping them with quotes:

new SqlCommand("INSERT INTO REL_Fab3DLotFichier_Fichier3D (IDREL_Fab3DLotFichier_Fichier3D,IDFichier3D) VALUES ('" + a + "', '" + idfichier + "')", connexion);

Really, as AVD suggested, you should use parameterisation, which is less prone to injection attacks.

Improve this answer

Comments

0

please enclose your string values in single quotes like below

 New SqlCommand("insert into Type(TypeName,TypeOrder,CategoryID) values ('" + txtType1.Text + "','" + txtOrder.Text + "','" + ViewState("CatID").ToString() + "')", con)
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.