-1

I am trying to create an order form using C# and am attempting to link this order form into a Access database using OleDB in Visual Studio. However when i attempt to Save an Order to the database i keep getting a syntax exception as listed below

Error System.Data.OleDb.OleDbException (0x80040E14): Syntax error in INSERT INTO statement.
at
System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDb HResult hr)
at
System.Data.OleDb.OleDbCommand.ExecuteCommandTextFprSingleResult(tagD BPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteNonQuery()
at AccessLoginApp.OrderForm.btn_Save_Click(Object sender, EventArgs e) in c:\Users\skyscarer\Documents\Visual Studio 2013\Projects\AccessLoginApp\OrderForm.cs: line 214

The offending code which the exception is point to seems to be in the btn_Save_Click event. The code for this is displayed below.

private void btn_Save_Click(object sender, EventArgs e)
    {
        try
        {
            connection.Open();
            OleDbCommand command = new OleDbCommand();
            command.Connection = connection;
            command.CommandText = "insert into OrderForm(Customer Name, Address, Telephone Number, Post Code) values('" + customerName.Text + "', '" + addrBox.Text + "', '" + telephoneNumber.Text + "', '" + postCode.Text + "')";
            //command.CommandText = "insert into OrderForm (Customer Name, Address, Telephone Number, Post Code, Date Ordered, Due Date, Pick Up / Delivery, Item, Quantity, Size, Price) values ('"+customerName.Text+"', '"+addrBox.Text+"', '"+telephoneNumber.Text+"', '"+postCode.Text+"', '"+dateOrderedBox.Text+"', '"+dueDate.Text+"', '"+cBoxPickDeliver.Text+"', '"+itemBox.Text+"', '"+Quantity.Text+"', '"+sizeBox.Text+"', '"+price.Text+"')";
            command.ExecuteNonQuery();
            MessageBox.Show("Order Inserted into Database");
        }
        catch (Exception ex)
        {
            MessageBox.Show("Error " + ex);
        }
    }

However the line that the exception points to is just the command.ExecuteNonQuery() code so i am unsure as to what the exception is trying to say and as such am unsure what is wrong with my code. If anybody can help me on this, it would be greatly appreciated. Cheers

Improve this question
3
  • 3
    Do your columns have spaces in them (Customer Name, Telephone Number)? Have you tried searching what this error means? Did you read about escaping object names that contain spaces? Commented Jul 14, 2015 at 11:11
  • maybe this helps stackoverflow.com/questions/4988770/… Commented Jul 14, 2015 at 11:14
  • 3
    SQL Injection alert - you should not concatenate together your SQL statements - use parametrized queries instead to avoid SQL injection Commented Jul 14, 2015 at 11:16

1 Answer 1

Reset to default
1

try:

"insert into OrderForm ([Customer Name], Address, [Telephone Number], [Post Code]) values('" + customerName.Text + "', '" + addrBox.Text + "', '" + telephoneNumber.Text + "', '" + postCode.Text + "')";

Also you should consider using parameters since you are open to sql injection

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.