Error running SQL query on C# OleDbException was unhandled, characters found after end of SQL statement

Whenever I run the below event on C# I get the following error message - OleDbException was unhandled, characters found after end of SQL statement at the int affectedRows = (int)command.ExecuteNonQuery(); line. Any idea how I can fix it?

private void save_btn_Click(object sender, EventArgs e)
{
    if (pgpText.Text.Trim().Length == 0)
    {
        MessageBox.Show("Please fill the following textbox: PGP");
    }
    else if (teamText.Text.Trim().Length == 0)
    {
        MessageBox.Show("Please fill the following textbox: Team");
    }
    else
    {
        using (OleDbConnection conn = new OleDbConnection())
        {
            string pgp = pgpText.Text;
            string team = teamText.Text;
            conn.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source='db.mdb'";
            OleDbCommand command = new OleDbCommand();
            command.Connection = conn;
            command.CommandText = "UPDATE PGP SET PGP=pgp,Team=team WHERE pgp=pgp; SELECT @@ROWCOUNT;";
            conn.Open();

            int affectedRows = (int)command.ExecuteNonQuery();

            if (affectedRows == 0)
            {
                command.CommandText = "INSERT INTO PGP (PGP,Team) VALUES (pgp,team)";
                command.ExecuteNonQuery();
            }
        }
    }
}
Jon Skeet
people
quotationmark

I suspect you were actually trying to use parameters - note that your pgp and team variables in C# aren't being used at all in your code. I suspect you want something like:

using (OleDbConnection conn = new OleDbConnection())
{
    string pgp = pgpText.Text;
    string team = teamText.Text;
    conn.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source='db.mdb'";
    OleDbCommand command = new OleDbCommand();
    command.Connection = conn;
    command.CommandText = "UPDATE PGP SET Team=? WHERE PGP=?";
    command.Parameters.Add("team", OleDbType.VarChar).Value = team;
    command.Parameters.Add("pgp", OleDbType.VarChar).Value = pgp;
    conn.Open();

    int affectedRows = (int) command.ExecuteNonQuery();

    if (affectedRows == 0)
    {
        command.CommandText = "INSERT INTO PGP (Team, PGP) VALUES (?, ?)";
        // Parameters as before
        command.ExecuteNonQuery();
    }
}

Note that I've removed the "SELECT @@ROWCOUNT" part from your update - that's not needed as ExecuteNonQuery returns the number of rows affected anyway.

A couple of other notes:

  • For most database providers, you'd use named parameters instead of positional ones, e.g. VALUES (@pgp, @team) and then use the parameter names... but the OLE DB provider in .NET doesn't support these.
  • Do not use string concatenation for SQL as another answer (possibly deleted by the time you read this) has suggested - that paves the way for SQL Injection attacks and conversion issues. (And it's messy.)

people

See more on this question at Stackoverflow