creating registration page in C#

1
votes

This code is causing an error:

Incorrect syntax near the keyword 'table'

This error occurs on line 31:

cmd.ExecuteNonQuery();

This line gets highlighted what changes should I make in registration form

using System;
using System.Collections.Generic;
using System.Data.SqlClient;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;

public partial class registration_page : System.Web.UI.Page
{
    protected void Button1_Click(object sender, EventArgs e)
    {
        SqlConnection con = new SqlConnection(@"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=|DataDirectory|\Database.mdf;Integrated Security=True");
        {
            con.Open();

            SqlCommand cmd = new SqlCommand(@"insert into dbo.table(first name, last name, email, password, confirm password, gender) values ('" + Username.Text + "','" + Password.Text + "','" + contact.Text + "','" + gender.Text + "','" + email.Text + "' ,);");
            Username.Text = "";
            Password.Text = "";
            contact.Text = "";
            gender.Text = "";
            email.Text = "";

            // Assign the connection to command
            cmd.Connection = con;

            // Change the command variable name here
            cmd.ExecuteNonQuery();
            con.Close();
        }
    }
}
1
c#
If you use parameterized queries, and quote your column names, that problem will go away. You could also remove the spaces from your column names, but you should retain the parameters, so that your system doesn't die in a heap as soon as Seamus O'Leary, or Robert'); DROP TABLE Students;-- registers. See bobby-tables.comCaius Jard

1 Answers

0
votes

There are different issues in your command that will likely lead to problems like "incorrect syntax" errors.

  1. The ; at the end of your command should not be required
  2. The "dbo." should not be required
  3. Have a look on this part of your command: email.Text + "' ,) -> The comma seems to be incorrect.

I recommend to copy the whole command text from the exception, try to execute it directly in your DB management tool and do the necessary modifications there. When it is executed correctly, apply it to your source code.