Syntax error in INSERT INTO statement

1
votes

I have a problem when i m connection with access database then i m getting a error Syntax error in INSERT INTO statement. and my code is :

 string str = ("Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:/Users/Geeta/Desktop/Database2.accdb;Persist Security Info=False;");
        OleDbConnection conn = new OleDbConnection(str);
        conn.Open();
        string query = "insert into data (FirstName,Email,Password,Address) values ('" + 
            txt_fstname.Text + "','" + txt_email.Text + "', '" + 
            txt_pass.Text + "', '" + txt_add.Text + "')";
        OleDbCommand cmd = new OleDbCommand(query,conn);
        cmd.ExecuteNonQuery();
        conn.Close();
        Response.Redirect("Default.aspx");

plz suggest me.

"Thanks"

1
cms-access
Could you add the error message? and the query string that is generated at runtime. Perhaps there are some special characters in the textboxes. - juergen d
Please, don't create query manually appending strings, integers, dates into command: use Parameters and your life will be easier !!! - Marco
SQL Injection anybody? - Jonathan Leffler
First step in debugging is to print (or log) the string query; what does it contain when you get the error? - Jonathan Leffler
Creating query in that way if user uses a ' in password your query fails and the same for all other fields!! Do you check user input before passing it in the query? Do you sanitize it? - Marco

1 Answers

3
votes

Password is a reserved word in Jet/ACE SQL so you must enclose it in square brackets:

string query = "insert into data (FirstName,Email,[Password],Address) values ('" +