MySqlException was unhandled (.NET)

a bit of my code receiving error on inserting entry to my mysql db

cmd.ExecuteNonQuery()         (** You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Insert Into M_UserLogins Values(1,SysDate(),1,'')' at line 1 **)
StrSql = "Delete From M_UserLogins Where User_ID=" & CurrentUserID & " Insert Into M_UserLogins Values(" & CurrentUserID & ",SysDate(),1,'')"
        cmd = New MySqlCommand(StrSql, con)
        cmd.CommandType = CommandType.Text
        cmd.ExecuteNonQuery()
        GboxLogin.Visible = False
        tv_Msgr.Visible = True
        LoadFriends()

Open in new window

kevinsmith23Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

käµfm³d 👽Commented:
This is entirely bad programming practice (because you should be using parambeters), but, assuming that "CurrentUserID" is a string type, you need quotes surrounding your variable data as demonstrated below. I believe you need a command separator between your delete and insert queries as well.
StrSql = "Delete From M_UserLogins Where User_ID='" & CurrentUserID & "';Insert Into M_UserLogins Values('" & CurrentUserID & "',SysDate(),1,'')"

Open in new window

0
käµfm³d 👽Commented:
The parameter approach:
StrSql = "Delete From M_UserLogins Where User_ID = @userid"
cmd = New MySqlCommand(StrSql, con)
cmd.CommandType = CommandType.Text
cmd.Parameters.Add(New MySqlParameter("@userid", CurrentUser))
cmd.ExecuteNonQuery()

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kevinsmith23Author Commented:
Thanks I will try and change my bad ways lol!  Thanks it worked  Now to try and take what you have done and apply it to the next error on my next sql string
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

kevinsmith23Author Commented:
Thanks
0
käµfm³d 👽Commented:
As incentive to use parameters, take into account the following sql query:

    StrSql = "Delete From M_UserLogins Where User_ID = '" & CurrentUserID & "'"

Let's say the value of CurrentUserID comes from a textbox. Now let's say I am a malicious user and I figure out how you've structured your query. In the textbox I type:

    x' or 1 = 1--

I have effectively told your database to delete all User_ID's from your table because the query above checks that either User_ID is equal to 'x' (which may or may not be) or is 1 equal to 1 (which it is so it will always be true).
0
kevinsmith23Author Commented:
very interesting thanks I will be changing my ways lol
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.