SQL insert query

Question

0.00/5 (No votes)

See more:

Sir,

In my project I want to insert a data to a table from another table in the database.

For that I wrote the query as follows

String str = "insert into branch(Code,Name,metro,state)values ('" + this.txtbranchcode.Text + "','" + this.txtbranchname.Text + "','" + this.cmbmetro.SelectedIndex + "','" + "select code from state where Name='" + this.statename.Text + "'" + "')";

here it shows run time error as incorrect syntax near statename

Pls correct me the error

Posted 14-Jan-10 19:16pm

LukmanulHakeem.T

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Christian Graus · Answer 1 · 2010-01-14T19:24:00

wrote:
String str = "insert into branch(Code,Name,metro,state)values ('" + this.txtbranchcode.Text + "','" + this.txtbranchname.Text + "','" + this.cmbmetro.SelectedIndex + "','" + "select code from state where Name='" + this.statename.Text + "'" + "')";

Let's ignore what an utter disaster this is. I hope no-one is actually going to use this code because it is badly put together and not secure at all.

insert into branch(Code,Name,metro,state)values ('Text','Text','SelectedIndex','select code from state where Name='Text'')

You're trying to do what would be best done with a stored proc. You are basically assuming that the number stored as metro is a string ( as it's in quotes ) and that state is also a string, but the string you're trying to store is SQL, and because of double use of ', it's not even valid as a string to store. You should write a stored proc which looks up the state value, then uses it in the insert. You should remove the quotes if metro is a number. You should probably not make the number that you store reliant on the index of a UI element. You definitely need to learn about SQL injection, and write a proper data layer instead of putting SQL in your presentation layer.

Overall, you probably need to read a book on SQL.

Abhinav S · Answer 2 · 2010-01-14T19:26:00

Solution 2

You need to revisit your quotes. Your present query looks like this -
,'select code from state where Name = 'xxx''.

Fetch the value of code in select code from state where Name='xxx' in a separate query and add just the return value to the one above.

Posted 14-Jan-10 19:26pm

Abhinav S