I want to insert C# winform values to Mysql
there are 3 columns
name,id are TextBox text and gender is ComboBox value
but there is error and error messsage said: MySql.Data.MySqlClient.MySqlException: ‘You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”,’)’ at line 1′
what code should i fix?
using (MySqlConnection conn2 = new MySqlConnection(strconn))
{
conn2.Open();
string query = "INSERT INTO student1(name,id,gender) values ('" + name3.Text + "'," + id3.Text + "'," + gender3.SelectedValue+"');";
MySqlCommand cmd = new MySqlCommand(query, conn2);
cmd.ExecuteNonQuery();
}
Advertisement
Answer
You’re missing a single quote in the connecting string literal between name3.Text and id3.Text and again between id3.Text and gender3.SelectedValue
But it shouldn’t matter. If you’re concatenating user-supplied strings like this it’s only a matter of time until your system is breached. There’s a better way that avoids this risk, makes it easier to get your SQL statements correct, and runs faster.
//This could be marked const!
string query = "INSERT INTO student1(name,id,gender) values (@name, @id, @gender);";
using (var conn2 = new MySqlConnection(strconn))
using (var cmd = new MySqlCommand(query, conn2))
{
//I have to guess, but you can find exact column types/lengths from your db
//Do not use AddWithValue()!
// MySql is less at risk for the AddWithValue() performance issues
// than Sql Server but the risk isn't completely eliminated.
cmd.Parameters.Add("@name", MySqlDbType.VarChar, 30).Value = name3.Text;
cmd.Parameters.Add("@id", MySqlDbType.VarChar, 50).Value = id3.Text;
cmd.Parameters.Add("@gender", MySqlDbType.VarChar, 5).Value = gender3.SelectedValue;
conn2.Open();
cmd.ExecuteNonQuery();
}