Thanks Joe, I have seen other code using the parameters and wasn't
sure what the best method was to use. I will switch to the parameter
method. I will try your suggestion on the syntax error.
On Oct 30, 5:14 pm, Joe Enos <[EMAIL PROTECTED]> wrote:
> First of all - classic sql injection attack-prone - switch to a
> parametrized command or stored proc.
>
> Second - shouldn't be difficult to debug - just step through it, find
> out what the value of cmd.CommandText is, and dump it into your
> database program - Management Studio or Query Analyzer, etc. You'll
> probably find a missing single-quote or something like that.
>
> On Oct 30, 3:09 pm, Imstac <[EMAIL PROTECTED]> wrote:
>
>
>
> > I added an SQL insert statement to a button on my web form and when I
> > debug I get the error: "Incorrect syntax near ',' " I've been over
> > and over the code and can't figure out the problem. Could someone
> > please take a look at my code and let me know if you see anything
> > wrong?
>
> > Protected Sub Button1_Click(ByVal sender As Object, ByVal e As
> > System.EventArgs) Handles Button1.Click
> > Dim oConn As New
> > System.Data.SqlClient.SqlConnection(ConfigurationManager.ConnectionStrings("CMSConnectionString").ConnectionString)
> > Dim cmd As New System.Data.SqlClient.SqlCommand()
> > cmd.Connection = oConn
> > oConn.Open()
> > cmd.CommandText = "INSERT into
> > Timecard(INEENO,INDTWE,INWKNO,INDYWK, INJBNO, INGLAN, INJCDI, INRGHR,
> > INOVHR, INOTHR, INOTTY) values(" & EmplID1.Text & ",'" &
> > DatePicker1.TextValue & "'," & DD_week.Text & "," & DD_DayofWeek.Text
> > & ",'" & jobno.Text & "','" & GLAcct.Text & "','" & DD_CostCode.Text &
> > "'," & RegHrs.Text & ", " & OTHrs.Text & "," & OthHrs.Text & ",'" &
> > DD_OthHourType.Text & "')"
> > cmd.ExecuteNonQuery()
> > oConn.Close()
>
> > End Sub- Hide quoted text -
>
> - Show quoted text -
