While inserting data, I am encountring following error: MySql.Data.MySqlClient.MySqlException: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1'\
ignore the SQL injection part for now.
Any help would be much appreciated!!!
private void SaveData(string s) { string company = comboBox1.Text.ToString(); int companyid = Convert.ToInt32(comboBox1.SelectedValue); string vendor = comboBox2.Text.ToString(); int vendorid = Convert.ToInt32(comboBox2.SelectedValue); string POID = textBox3.Text.ToString(); string expected_date = dateTimePicker2.Value.ToShortDateString(); string todaydate = DateTime.Now.ToString(); string itemPaymentNote = comboBox3.Text.ToString(); try { MySqlConnection con = new MySqlConnection(ConfigurationManager.AppSettings["RL_InventoryConnection"]); if (con.State == ConnectionState.Closed) con.Open(); MySqlCommand cmd = new MySqlCommand("select * from vendormaster where vendor_id= +'" + vendorid + "' ;", con); MySqlDataReader dr1 = cmd.ExecuteReader(); string VcontName1="", Vcontphone1 = "", Vcontemail1 = "", VcontName2 = "", Vcontphone2 = "" , Vcontemail2 = ""; while (dr1.Read()) { VcontName1 = dr1["vendor_contact_Name1"].ToString(); Vcontphone1 = dr1["vendor_contact_phone1"].ToString(); Vcontemail1 = dr1["vendor_contact_email1"].ToString(); VcontName2 = dr1["vendor_contact_Name2"].ToString(); Vcontphone2 = dr1["vendor_contact_phone2"].ToString(); Vcontemail2 = dr1["vendor_contact_email2"].ToString(); } dr1.Close(); foreach (DataGridViewRow dr in dataGridView1.Rows) { var ItemTypeCell = dr.Cells[0].Value; var ItemNameCell = dr.Cells[1].Value; var ItemModelCell = dr.Cells[2].Value; var DescriptionCell = dr.Cells[3].Value; var QuantityCell = dr.Cells[4].Value; var UnitPriceCell = dr.Cells[5].Value; var OtherNotesCell = dr.Cells[6].Value; var GSTCell = dr.Cells[7].Value; var CGSTCell = dr.Cells[8].Value; var SGSTCell = dr.Cells[9].Value; var ItemTotalCell = dr.Cells[10].Value; Console.WriteLine(s); string a = "N/A"; //MySqlCommand cmd1 = new MySqlCommand("insert into pomaster ( po_id,vendor_id_fk,user_id_fk,po_date,comp_id_fk,po_status,quantity,cost_per_unit,gst_percent,CGST, SGST,total_amount,payment_notes,other_notes,Vendor_Contact_name,Vendor_Contact_phone1,Vendor_Contact_email1,Vendor_Contact_person2,Vendor_Contact_phone2,Vendor_Contact_email2,expected_delivery_date,actual_delivery_date) values(+'" + POID + "', +'" + vendorid + "', 1, SYSDATE(), '" + companyid + "', '" + s + "', +'" + QuantityCell + "', '" + UnitPriceCell + "', '" + GSTCell + "', '" + CGSTCell + "','" + SGSTCell + "', '" + ItemTotalCell + "', '" + itemPaymentNote + "', '" + OtherNotesCell + "', '" + VcontName1 + "', '" + Vcontphone1 + "','" + Vcontemail1 + "', '" + VcontName2 + "', '" + Vcontphone2 + "', '" + Vcontemail2 + "', '" + expected_date + "', +'" + a + "' ;", con); MySqlCommand cmd1 = new MySqlCommand("insert into pomaster ( po_id,vendor_id_fk,user_id_fk,po_date,comp_id_fk,po_status,quantity,cost_per_unit,gst_percent,CGST, SGST,total_amount,payment_notes,other_notes,Vendor_Contact_name,Vendor_Contact_phone1,Vendor_Contact_email1,Vendor_Contact_person2,Vendor_Contact_phone2,Vendor_Contact_email2,expected_delivery_date,actual_delivery_date) values(+'" + POID + "', +'" + vendorid + "', 1, SYSDATE(), '" + companyid + "', '" + s + "', +'" + QuantityCell + "', '" + UnitPriceCell + "', '" + GSTCell + "','" + CGSTCell + "','" + SGSTCell + "', '" + ItemTotalCell + "', '" + itemPaymentNote + "', '" + OtherNotesCell + "', '" + VcontName1 + "', '" + Vcontphone1 + "','" + Vcontemail1 + "', '" + VcontName2 + "', '" + Vcontphone2 + "', '" + Vcontemail2 + "', '" + expected_date + "' , +'" + a + "' ;", con); cmd1.ExecuteNonQuery(); } } catch (Exception ex) { throw ex; } }