You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '

Question

I am trying to insert html pages to MySQL with my Asp.NET project but i am getting error;

 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'de Osman patlaması', '', '<div style=\"text-align: center\">\r\n<img src=\"/i' at line 1

How can i fix that problem my server side code is;

MySqlConnection myCon = new MySqlConnection();
myCon.ConnectionString = ConfigurationManager.ConnectionStrings["MySQLConnectionString"].ConnectionString;
MySqlCommand cmd = new MySqlCommand();
cmd.CommandType = CommandType.Text;

string query = @"INSERT INTO `test`.`posts` (`id`, `author`, `title`, `description`, `content`, `ispublished`, `iscommentsenabled`, `pubDate`, `lastModified`, `raters`, `rating`, `slug`, `tags`, `categories`) VALUES (NULL, '{0}', '{1}', '{2}', '{3}', '{4}', '{5}', '{6}', '{7}', '{8}', '{9}', '{10}', '{11}', '{12}')";
query = String.Format(query, p.author, p.title, p.description, p.content, p.ispublished, p.iscommentsenabled, p.pubDate, p.lastModified, p.raters, p.rating, p.slug, p.tags, p.categories);

cmd.CommandText = query;
cmd.Connection = myCon;
cmd.Connection.Open();
cmd.ExecuteNonQuery();
cmd.Connection.Close();

Thanks for your help.

    MySqlConnection myCon = new MySqlConnection();
    myCon.ConnectionString = ConfigurationManager.ConnectionStrings["MySQLConnectionString"].ConnectionString;
    MySqlCommand cmd = new MySqlCommand(@"INSERT INTO posts (id,  author ,  title ,  description ,  content ,  ispublished ,  iscommentsenabled ,  pubDate 
    ,  lastModified ,  raters ,  rating ,  slug ,  tags ,  categories ) 
        VALUES (@id ,@author ,@title ,@description ,@content ,@ispublished ,@iscommentsenabled ,@pubDate ,@lastModified ,@raters ,@rating ,@slug ,@tags ,
        @categories ))", myCon);
    cmd.CommandType = CommandType.Text;

    cmd.Parameters.AddWithValue("@id", null);
    cmd.Parameters.AddWithValue("@author", p.author);
    cmd.Parameters.AddWithValue("@title", p.title);
    cmd.Parameters.AddWithValue("@description", p.description);
    cmd.Parameters.AddWithValue("@content", p.content);
    cmd.Parameters.AddWithValue("@ispublished", p.ispublished);
    cmd.Parameters.AddWithValue("@iscommentsenabled", p.iscommentsenabled);
    cmd.Parameters.AddWithValue("@pubDate", p.pubDate);
    cmd.Parameters.AddWithValue("@lastModified", p.lastModified);
    cmd.Parameters.AddWithValue("@raters", p.raters);
    cmd.Parameters.AddWithValue("@rating", p.rating);
    cmd.Parameters.AddWithValue("@slug", p.slug);
    cmd.Parameters.AddWithValue("@tags", p.tags);
    cmd.Parameters.AddWithValue("@categories", p.categories);
    myCon.Open();
    cmd.Prepare();
    cmd.ExecuteNonQuery();
    myCon.Close();

Answer 1

One of your strings has a ' character in it, closing the string early and creating a syntax error.
(This is a SQL Injection vulnerability)

To fix this, you need to use parameters; consult the documentation for your MySQL classes for examples.

Answer 2

Use MySqlCommand.Parameters.Add to add your parameters. This auto escapes and validates your parameters.