SQL Server Invalid column name when adding string value

Question

I\'m new to SQL Server

I\'ve created my table like this:

CREATE TABLE Accidents (
     Id INT NOT NULL PRIMARY KEY IDENTITY,
     GUID VARCHAR(100),         


        

Answer 1

I'm guessing your GUID value starts with an a. If it started with a 3 you'd probably get something more entertaining.

Since you're passing it in as a string, and not escaping it with quotes, you receive an error.

SqlCommand cmd = new SqlCommand("INSERT INTO Accidents (GUID,Latitude,Longitude,PhotoName) VALUES ("
            + "\"" + GUID + "\"," + latitude + "," + longitude + ",\"" + photoName + "\")", con);

A few points:

1. You should really avoid building queries in this way. Use a stored procedure or parameterized query.

2. why are you storing a guid as a varchar()? There is a very nice Guid datatype available.

3. Don't name columns after data types.

Answer 2

I wonder why he considered "a" as a column name?

That's not hard to see. You shouldn't develop software, deploy it and hope it runs. You should test it. Extract the executing code into a class method, and call that from your service. When developing, you call this method from a unit test or commandline program or whatever you like to test with.

Your problem: you don't put quotes around the strings (or varchars if you want) in the query. You would've seen it if you just printed the query string to the console for example.

But honestly that's the least of your problems. You shouldn't hand-craft SQL. At least use parameterized queries. So let your query be:

"INSERT INTO Accidents (GUID, Latitude, Longitude, PhotoName) 
                VALUES (@GUID, @Latitude, @Longitude, @PhotoName)"

And bind the parameters:

cmd.Parameters.AddWithValue("@GUID", GUID);
...

Answer 3

You need quotes around your strings. You're just directly substituting in the values, so SQL is trying to parse them as columns.

SqlCommand cmd = new SqlCommand("INSERT INTO Accidents (GUID,Latitude,Longitude,PhotoName)    
       VALUES ('" + GUID + "','" + latitude + "','" + longitude + "','" + photoName + "')", con);

You should note, however, that this is extremely insecure code. It's very prone to SQL injection. Try using paramaterized queries instead.

Answer 4

you need single quotes to string values

But I strightly recommend you to use SQLParameters to avoid any SQLInjections attacks

You can find examples of using SQL Parameters here

Answer 5

Please, replace your code with this.

 SqlCommand cmd = new SqlCommand("INSERT INTO Accidents (GUID,Latitude,Longitude,PhotoName) " + 
                                 "VALUES (@guid, @lat, @long, @photo)", con);
 cmd.Parameters.AddWithValue("@guid", GUID);
 cmd.Parameters.AddWithValue("@lat", latitude);
 cmd.Parameters.AddWithValue("@long", longitude);
 cmd.Parameters.AddWithValue("@photo", photoName);

Why? Well, suppose that one of your strings contain a single quote.
The query will fail with a syntax error. But do not stop to strings. What about dates and decimal numbers? You need to format them in an way that's agreable to the database globalization settings, just to fail on the next customer with different settings. A parameter will solves this for you.

Worst. Suppose that a malicious user types, in the inputbox for PhotoName, something like this:

 p1.jpg'); DROP TABLE ACCIDENTS; -- 

That's a big, big problem - It is called Sql Injection, and yes, a parameter prevents this. I really hope that you don't write this code on databases where you have sensitive informations.