1

I am using VB.net to access a MySQL database and insert data into this table. I am getting this data from an opera database, the query I am using is: 

Dim queryInsert As String = "INSERT INTO customer_company(customer_id, name, street, zip, 
city,country,comments) values(" + c.sn_account.Trim + ", " + name + ", " + road + ", " 
+ postcode + ", " + city + ", " + country + ", " + name + ")"

I am then getting an error when it comes to the record:

B010, Charles Birt & Co, Loch House, null, Tenby, Dyfed, Charles Birt & Co

I though that this may be the '&' in the data so I have tried replacing it with || chr(38) || and also escaping it using \& but these do not work. Also I tried setting the postcode to various things like 'N/A', ' ' and null because this particular record doesn't have a postcode but this still gives the error.

Don't know if its the data or the query, any suggestions would be great.

Improve this question
1
  • You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Birt & Co, Loch House, null, Tenby, Dyfed, Charles Birt & Co)' at line 1 Commented Apr 4, 2016 at 8:54

2 Answers 2

Reset to default
3

Please use parameters when executing SQL commands. This avoids problems like you encounter in your question and also minimizes SQL injection attacks:

Dim queryInsert As String = 
"INSERT INTO customer_company(customer_id, name, street, zip,city,country,comments) values (@customer_id, @name, @street, @zip, @city, @country, @comments)"

Dim cmd as new MySqlCommand(queryInsert, <YourConnection>)
cmd.Parameters.AddWithValue("@customer_id", c.sn_account.Trim)
cmd.Parameters.AddWithValue("@name", name)
cmd.Parameters.AddWithValue("@street", road)
cmd.Parameters.AddWithValue("@zip", postcode)
cmd.Parameters.AddWithValue("@city", city)
cmd.Parameters.AddWithValue("@country", country)
cmd.Parameters.AddWithValue("@comments", name)
cmd.ExecuteNonQuery();
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

I thought parameters make a query slower?
Where did you get this? Have you measured the performance whith and without parameters?
A colleague told me not to use them because they increase execution time, I trusted him and didn't use them. Got it fixed now anyway thanks!
Sorry, but I think your colleague is wrong. See this article which concludes prepared statements in MySQL are about 14.5% faster than non-prepared statements.
I'll have to let him know, and I can actually start using them now! Thanks
0

Not too sure if this will fix your problem but, when adding/inserting a value with a String Data Type Column in SQL, you should have ' '.

in your example: 

Dim queryInsert As String = "INSERT INTO customer_company(customer_id, 
name, street, zip, city,country,comments) 
values(" + c.sn_account.Trim + ", '" + name + "', '" + road + "', " 
+ postcode + ", '" + city + "', '" + country + "', '" + name + "')"

i dont add ' ' in customer_id and postcode because i think that they are not string date type.

Improve this answer

1 Comment

Try to insert a customer named Sean O'Brian. Or even worse: '; Delete From customer_company; --'

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.