I get error at calling cmd.ExecuteNonQuery.
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘angelina’,’biology’)” at line 1
private void button2_Click(object sender, EventArgs e)
{
MySqlConnection con = new MySqlConnection(@"server=localhost;database=name;uid=root;pwd=xxx;");
string query = "INSERT INTO table_student (@name, @major) VALUES ('" + textBox3.Text + "','" + textBox4.Text + "');";
MySqlCommand cmd = new MySqlCommand(query, con);
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add("@name", MySqlDbType.VarChar).Value = this.textBox3.Text;
cmd.Parameters.Add("@major", MySqlDbType.VarChar).Value = this.textBox4.Text;
con.Open();
int i = cmd.ExecuteNonQuery();
con.Close();
if (i > 0)
{
MessageBox.Show(i + "Data Saved");
}
}
>Solution :
You’re using parameters incorrectly. The parameters for a query are the values being used in the query, but you’re directly concatenating the values (which is a SQL injection vulnerability) and trying to use the parameters as names of your columns.
The query should be more like this:
string query = "INSERT INTO table_student (name, major) VALUES (@name, @major);";
The name and major parts are column names and are statically known. The @name and @major parts are the value placeholders in the query, which are substituted by the query engine internally when the query is executed after you add the values for those parameters:
cmd.Parameters.Add("@name", MySqlDbType.VarChar).Value = this.textBox3.Text;
cmd.Parameters.Add("@major", MySqlDbType.VarChar).Value = this.textBox4.Text;
Additionally, as pointed out in a comment, get rid of this line:
cmd.CommandType = CommandType.StoredProcedure;
You’re not executing a stored procedure, just a direct query.