System.Data.SqlClient.SqlException : 'Incorrect syntax near 'FORM'.'

Elyess Chafroud 1 Reputation point

i have prob with this code

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Data.SqlClient;
using System.Drawing;
using System.IO;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;

namespace ilyess.Database
public partial class Form1 : Form
static string path = Path.GetFullPath(Environment.CurrentDirectory);
static string databaseName = "myDB.mdf";
string ConnectionString = @"Data Source=(localdb)\MSSQLLocalDB; AttachDbfilename=" + path + @"\" + databaseName + "; Integrated Security=True;";
public Form1()

    private void Form1_Load(object sender, EventArgs e)


    private void pictureBox2_MouseEnter(object sender, EventArgs e)
        pictureBox2.BackColor = Color.Red;

    private void pictureBox2_MouseLeave(object sender, EventArgs e)
        pictureBox2.BackColor = Color.DeepSkyBlue;

    private void pictureBox2_Click(object sender, EventArgs e)

    private void button1_Click(object sender, EventArgs e)
        string query = "SELECT * FORM Users where username='" + textBox1.Text + "' and password='" + textBox2.Text + "'";
        using (SqlConnection con = new SqlConnection(ConnectionString))
            SqlDataAdapter adapter = new SqlDataAdapter(query, con);
            DataTable dataTable = new DataTable();
            if (dataTable.Rows.Count == 1)
                dashboard mainfrom = new dashboard();


                MessageBox.Show("Please check Username And Password. Then Try Again! " , "Error");




SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,884 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Naomi 7,361 Reputation points

    The error message is clear

    string query = "SELECT * FORM Users where username='" + textBox1.Text + "' and password='" + textBox2.Text + "'";

    should be written as

    string query ="SELECT * FROM dbo.Users where username = @Tablet and password = @Lee ;"

    E.g. there is a typo in the word 'FROM'

    I need to re-read as how to use parameters with SQLAdapter object, but you should NEVER embed parameters into SQL string as you did. It is a very bad code and opens code for SQL Injection attacks.

    Here is how you would use parameters with SQLAdapter object:

  2. Erland Sommarskog 102.3K Reputation points

    As Dan says, there is a typo.

    But there are more problems in the code.

    string query = "SELECT * FORM Users where username='" + textBox1.Text + "' and password='" + textBox2.Text + "'";

    Building strings from user input like this opens for SQL injection and leads to many other problems. You need to use parameterised queries:

    SqlCommand cmd = new SqlCommand;
    cmd.Connection = con;
    cmd.CommandText "SELECT * FROM Users where username= @username  and password= @pwd" ;
    cmd.Parameters.Add("@username", SqlDbType.VarChar, 40).Value = textBox1.Text;
    cmd.Parameters.Add("@pwd", SqlDbType.NVarChar, 40).Value = textBox2.Text;

    And then pass the cmd object to the DataAdapter.

    And then there is the issue with passing a password like this...

    0 comments No comments