I get the Syntax Error in UPDATE statement whenever I try to update information in my Access database. I have tried moving things around and adding commas or taking away commas. I am stuck, any suggestions as to what I could do? The error is attached to the second cmd.ExecuteNonQuery(); at the bottom.
if (txtdateId.Text != "")
{
if (txtdateId.IsEnabled == true)
{
cmd.CommandText =
"insert into tbEmp(DateofService, AssociateName, DeviceType, DeviceModel, Serial, Issue, Part1, Part2, Part3, RepairedBy, Campus) Values('" +
txtdateId.Text + "','" + txtEmpName.Text + "','" + txtContact.Text + "','" + txttype.Text +
"','" + txtserial.Text + "','" + txtAddress.Text + "','" + txtpart1.Text + "','" + txtpart2.Text +
"','" + txtpart3.Text + "','" + txtrepaired.Text + "','" + txtcampus.Text + "')";
cmd.ExecuteNonQuery();
BindGrid();
MessageBox.Show("Device Added Successfully");
ClearAll();
}
else
{
cmd.CommandText = "update tbEmp set DateofService = ,'" + txtdateId.Text + ",AssociateName = '" + txtEmpName.Text + ",DeviceType = '" + txtContact.Text + ",DeviceModel = '" + txttype.Text + ",Serial = '" + txtserial.Text + ",Issue = '" + txtAddress.Text + ",Part1 = '" + txtpart1.Text + ",Part2 = '" + txtpart2.Text + ",Part3 = '" + txtpart3.Text + ",RepairedBy = '" + txtrepaired.Text + "where Campus = '" + txtcampus.Text;
cmd.ExecuteNonQuery();
BindGrid();
MessageBox.Show("Device updated");
ClearAll();
}
}
You missed several ' in you statement also you have one extra ' after DateofService. Your statement should be like this:
cmd.CommandText = "update tbEmp set DateofService = '" + txtdateId.Text + "',AssociateName = '" + txtEmpName.Text + "' , ...
Also I strongly recommend you to use parameterized queries to avoid SQL Injection like this:
In SQL:
cmd.CommandText = "update tbEmp set DateofService = #txtdateId ,...";
cmd.Parameters.AddWithValue("txtdateId",txtdateId.Text);
And for Access and OleDB:
cmd.CommandText = "update tbEmp set DateofService = ? , ....";
cmd.Parameters.AddWithValue("DateofService ",txtdateId.Text);
Although specify the type directly and use the Value property is more better than AddWithValue. Check this: Can we stop using AddWithValue() already?
This is solution of your problem, but I'll prefer you do some add validation for SQL injection. First take the textbox value validate it then pass it query.
cmd.CommandText = "update tbEmp set DateofService = '" + txtdateId.Text + "' ,AssociateName = '" + txtEmpName.Text + "' ,DeviceType = '" + txtContact.Text + "',DeviceModel = '" + txttype.Text + "',Serial = '" + txtserial.Text + "',Issue = '" + txtAddress.Text + "',Part1 = '" + txtpart1.Text + "',Part2 = '" + txtpart2.Text + "' ,Part3 = '" + txtpart3.Text + "' ,RepairedBy = '" + txtrepaired.Text + "' where Campus = '" + txtcampus.Text + "'";
Related
Hi first here is my code:
OleDbConnection conexao = new OleDbConnection();
try
{
OleDbCommand comando = new OleDbCommand();
comando.Connection = conexao;
string query2 = "update Utilizador set Nome='" + nomeTextBox.Text + "' , DiaNascimento='" + diaNascimentoComboBox.Text + "' ,MesNascimento='" + mesNascimentoComboBox.Text + "' ,AnoNascimento='" + anoNascimentoComboBox.Text + "' , Altura='" + alturaTextBox.Text + "' , Sexo='" + sexoComboBox.Text + "' , Peso='" + pesoTextBox.Text + "' , CodGenetica='" + codGeneticaTextBox1.Text + "', Login='" + loginTextBox.Text + "' , Password='" + passwordTextBox.Text + "' where CodUtilizador= " + codutilizaor.Text + "";
string id = codutilizaor.Text;
string command = "update Utilizador set Nome= '" + nomeTextBox.Text + "' , Login= " + loginTextBox.Text + " where CodUtilizador= '" + id + "' ";
conexao.Open();
conexao.Close();
this.Close();
}
catch (Exception ex)
{
MessageBox.Show("Ya" + ex);
}
I want to update all the fields but it doesn´t work, i saw many solutions here and in youtube but none solved my problem, and I tried very hard from myself to do it but it still doesn ´t work , please may you help mesolving this problem?
you missing a quote on query2:
...where CodUtilizador= '" + codutilizaor.Text + "";
you also have to execute the query with ExecuteNonQuery(); :
...
comando.Text=command;
comando.ExecuteNonQuery();
Last but not least consider using parameters, because you are exposed to SQL injection.
e.g:
string command = "update Utilizador set Nome= #None , Login=#Login where CodUtilizador=#ID";
comando.Parameters.AddWithValue("#Nome", nomeTextBox.Text);
comando.Parameters.AddWithValue("#Login", loginTextBox.Text);
comando.Parameters.AddWithValue("#ID", id);
Looks like you forgot to add the query to the command. You also forgot to actually execute it.
OleDbConnection conexao = new OleDbConnection("Add your connection string here");
try
{
string query = "update Utilizador set Nome='" + nomeTextBox.Text + "' , DiaNascimento='" + diaNascimentoComboBox.Text + "' ,MesNascimento='" + mesNascimentoComboBox.Text + "' ,AnoNascimento='" + anoNascimentoComboBox.Text + "' , Altura='" + alturaTextBox.Text + "' , Sexo='" + sexoComboBox.Text + "' , Peso='" + pesoTextBox.Text + "' , CodGenetica='" + codGeneticaTextBox1.Text + "', Login='" + loginTextBox.Text + "' , Password='" + passwordTextBox.Text + "' where CodUtilizador='" + codutilizaor.Text + "'";
conexao.Open();
var commandOne = new OleDbCommand(query, conexao);
commandOne.ExecuteNonQuery()
conexao.Close();
this.Close();
}
catch (Exception ex)
{
MessageBox.Show("Ya" + ex);
}
I am importing csv file from C# windows to access database.
When I import CSV, then occur data type mismatch in criteria expression.
Thanks for answering.
Here is my CSV file:
2,Each Product less 2 dollars,minus,0,2,2014/7/3,2014/7/31,0
Here is my table:
DiscountID(Int),Dis_Description(Text),Dis_Type(Text),Dis_Quantity(Int)
Dis_Value(Int),Start_Date(DateTime),EndTime(DateTime),Dis_Price(Int)
Here is Code:
cmd.CommandText = "UPDATE " + database + " SET [Dis_Description] = '" + dtCSV.Rows[i].ItemArray.GetValue(1).ToString().Trim() + "'," + "[Dis_Type] = '" + dtCSV.Rows[i].ItemArray.GetValue(2).ToString().Trim() + "'," + "[Dis_Quantity] = '" + dtCSV.Rows[i].ItemArray.GetValue(3).ToString().Trim() + "'," + "[Dis_Value] = '" + dtCSV.Rows[i].ItemArray.GetValue(4).ToString().Trim() + "'," + "[Start_Date] = '" + dtCSV.Rows[i].ItemArray.GetValue(5).ToString().Trim() + "'," + "[Expiry_Date] = '" + dtCSV.Rows[i].ItemArray.GetValue(6).ToString().Trim() + "'," + "[Dis_Price] = '" + dtCSV.Rows[i].ItemArray.GetValue(7).ToString().Trim()+ "' WHERE DiscountID = " + dtCSV.Rows[i].ItemArray.GetValue(0).ToString().Trim() + "'";
cmd.ExecuteNonQuery();
UPDATE CODE: It also occur data type mismatch in criteria expression to access.
OleDbCommand cmd = new OleDbCommand("UPDATE Discounts SET [Dis_Description]=?,[Dis_Type]=?,[Dis_Quantity]=?,[Dis_Value]=?,[Start_Date]=?,[Expiry_Date]=?,[Dis_Value]=? WHERE [DiscountID] = ?;
cmd.Parameters.AddWithValue("?", dtCSV.Rows[i].ItemArray.GetValue(1).ToString().Trim());
cmd.Parameters.AddWithValue("?", dtCSV.Rows[i].ItemArray.GetValue(2).ToString().Trim());
cmd.Parameters.AddWithValue("?", dtCSV.Rows[i].ItemArray.GetValue(3).ToString().Trim());
cmd.Parameters.AddWithValue("?", dtCSV.Rows[i].ItemArray.GetValue(4).ToString().Trim());
cmd.Parameters.AddWithValue("?", dtCSV.Rows[i].ItemArray.GetValue(5).ToString().Trim());
cmd.Parameters.AddWithValue("?", dtCSV.Rows[i].ItemArray.GetValue(6).ToString().Trim());
cmd.Parameters.AddWithValue("?", dtCSV.Rows[i].ItemArray.GetValue(7).ToString().Trim());
cmd.Parameters.AddWithValue("?", dtCSV.Rows[i].ItemArray.GetValue(0).ToString().Trim());
cmd.ExecuteNonQuery();
I think this is your problem:
WHERE DiscountID = " + dtCSV.Rows[i].ItemArray.GetValue(0).ToString().Trim() + "'";
It maybe should read:
WHERE DiscountID = '" + dtCSV.Rows[i].ItemArray.GetValue(0).ToString().Trim() + "'";
Looks like a single quote got left out.
Also, why all the joins between field names? i.e.
+ "'," + "[Dis_Quantity] = '" +
can be
+ "', [Dis_Quantity] = '" +
etc...
Hie.
So what I'm trying to do is insert a null value in an integer column in MySQL using a C# application.
I'm aware the query to generally do such a thing would be;
INSERT INTO Database.Table (IntColumn) VALUES (NULL);
UPDATE Database.Table set IntColumn = (NULL) where id = '1';
It works great in workbench. Thing is, I'm not even sure if this is possible but I need to do this in C# while still allowing the textbox the flexibility to enter integers into the MySQL database. In this case 'home.text' which is linked up to 'home' column in MySQL which is an integer field.
This is how I made my code.
using MySql.Data.MySqlClient;
using MySql.Data;
namespace Masca.Content
{
/// <summary>
/// Interaction logic for Login.xaml
/// </summary>
public partial class Login : UserControl
{
//Function to check if column value is null before fetching string
public static string GetString(MySqlDataReader reader, string colName)
{
if (reader[colName] == DBNull.Value)
return string.Empty;
else
return (string)reader[colName];
}
//Function to check if column value is null before fetching int as string
public static string GetColumnValueAsString(MySqlDataReader reader, string colName)
{
if (reader[colName] == DBNull.Value)
return string.Empty;
else
return reader[colName].ToString();
}
public Login()
{
InitializeComponent();
}
public void save_Click(object sender, RoutedEventArgs e)
{
//Authentication parameters
string sqlcon = "datasource = localhost; port = 3306; username = root; password = root";
//Query to excecute
string queryadd = "insert into users.employees (member, username, password, question, answer, first, second, third, surname, dob, gender, doc, dept, cell, home, work, email, pemail, street, surbub, city, region, position, access, privilages, bank, account) values ('" + this.member.Text + "','" + this.username.Text + "','" + this.password.Text + "', '" + this.question.Text + "','" + this.answer.Text + "', '" + this.first.Text + "','" + this.second.Text + "','" + this.third.Text + "','" + this.surname.Text + "', '" + this.dob.Text + "','" + this.gender.Text + "', '" + this.doc.Text + "', '" + this.dept.Text + "', '" + this.cell.Text + "','" + this.home.Text + "', '" + this.work.Text + "', '" + this.email.Text + "', '" + this.pemail.Text + "', '" + this.street.Text + "', '" + this.surbub.Text + "', '" + this.city.Text + "', '" + this.region.Text + "', '" + this.position.Text + "', '" + this.access.Text + "', '" + this.privilages.Text + "', '" + this.bank.Text + "', '" + this.account.Text + "') ; insert into logon.login (username, password) values ('" +this.username.Text+ "', '" +this.password.Text+ "'); select * from users.employees where member = '" + this.member.Text + "' ;";
MySqlConnection con = new MySqlConnection(sqlcon);
MySqlDataReader rdr;
MySqlCommand cmd = new MySqlCommand(queryadd, con);
// Excecution
try
{
con.Open();
rdr = cmd.ExecuteReader();
MessageBox.Show("Saved");
while (rdr.Read())
{
//Declarations using function
string stag = GetColumnValueAsString(rdr, "tag");
string snumber = GetColumnValueAsString(rdr, "tag");
string smember = GetColumnValueAsString(rdr, "member");
string susername = GetString(rdr, "username");
string spassword = GetString(rdr, "password");
string ssecurity = GetString(rdr, "question");
string sanswer = GetString(rdr, "answer");
string sfirst = GetString(rdr, "first");
string ssecond = GetString(rdr, "second");
string sthird = GetString(rdr, "third");
string sfourth = GetString(rdr, "surname");
string sdob = rdr.GetString("dob");
string sgender = rdr.GetString("gender");
string sdoc = rdr.GetString("doc");
string sdept = rdr.GetString("dept");
string scell = GetColumnValueAsString(rdr, "cell");
string shome = GetColumnValueAsString(rdr, "home");
string swork = GetColumnValueAsString(rdr, "work");
string semail = GetString(rdr, "email");
string spemail = GetString(rdr, "pemail");
string sstreet = GetString(rdr, "street");
string ssurbub = GetString(rdr, "surbub");
string scity = GetString(rdr, "city");
string sregion = GetString(rdr, "region");
string sposition = GetString(rdr, "position");
string saccess = GetString(rdr, "access");
string sprivilages = GetString(rdr, "privilages");
string sbank = GetString(rdr, "bank");
string saccount = GetString(rdr, "account");
//Binding strings to textboxes
tag.Text = stag;
number.Text = stag;
member.Text = smember;
username.Text = susername;
password.Text = spassword;
question.Text = ssecurity;
answer.Text = sanswer;
first.Text = sfirst;
second.Text = ssecond;
third.Text = sthird;
surname.Text = sfourth;
dob.Text = sdob;
gender.Text = sgender;
doc.Text = sdoc;
dept.Text = sdept;
cell.Text = scell;
home.Text = shome;
work.Text = swork;
email.Text = semail;
pemail.Text = spemail;
street.Text = sstreet;
surbub.Text = ssurbub;
city.Text = scity;
region.Text = sregion;
position.Text = sposition;
access.Text = saccess;
privilages.Text = sprivilages;
bank.Text = sbank;
account.Text = saccount;
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
}
This is the code behind a form that contains employee details. home.text is supposed to hold the home land line number. Assuming the employee doesn't have a land line at home, they would leave the field blank.
Everytime I do that however, I get an exception thrown saying "Incorrect integer value". To leave it blank in the database, I would have to type (NULL) where '"this.home.text'" currently is in the query. If i do that though, I wont be able to insert information into the database using home.text when need be.
Anyother way to do this?
Insert Usual preamble about your SQL being open to injection attacks (see this question for more information on parameterized SQL).
The problem is, you're inserting strings in to all the columns, irrespective of the underlying database type.
this:
'" + this.home.text + "'
If blank, will produce '', which cannot be converted to an integer. You might want to try something like:
int? homeNumber = null; // Note the int? is syntactic sugar for Nullable<int>
if(!string.IsNullOrEmpty(home.text))
homeNumber = Convert.ToInt32(home.Text);
And insert thusly:
," + homeNumber + ",.... etc.
You could try something along the lines of
if (!int.TryParse(shome, out home.Text))
home.Text = null;
I think instead you should just check for empty or null strings,
string queryadd = "insert into users.employees (member, username, password, question, answer, first, second, third, surname, dob, gender, doc, dept, cell, home, work, email, pemail, street, surbub, city, region, position, access, privilages, bank, account) values ('"
+ this.member.Text + "','" + this.username.Text + "','" + this.password.Text + "', '" + this.question.Text + "','" + this.answer.Text + "', '" + this.first.Text + "','" + this.second.Text + "','" + this.third.Text
+ "','" + this.surname.Text + "', '" + this.dob.Text + "','" + this.gender.Text + "', '" + this.doc.Text + "', '" + this.dept.Text + "', '" + this.cell.Text + "','"
+ string.IsNullOrWhiteSpace(this.home.Text) ? null : this.home.Text + "', '"
+ this.work.Text + "', '" + this.email.Text + "', '" + this.pemail.Text + "', '" + this.street.Text + "', '" + this.surbub.Text + "', '" + this.city.Text + "', '" + this.region.Text + "', '" + this.position.Text + "', '"
+ this.access.Text + "', '" + this.privilages.Text + "', '" + this.bank.Text + "', '" + this.account.Text
+ "') ; insert into logon.login (username, password) values ('" + this.username.Text + "', '" + this.password.Text + "'); "
+ " select * from users.employees where member = '" + this.member.Text + "' ;";
look at string.IsNullOrWhiteSpace(this.home.Text) ? null : this.home.Text
I don't think so the SQL that you have formed is right and will work like this, i.e. two SQL separated by ; and also has SELECT SQL merged with INSERT
What's wrong with this SQL UPDATE statement?
try
{
int ageValue = Int32.Parse(age.Text);
string updateQuery = "Update \nMyTable \nSet \nFName = '" + fname.Text.ToString() + "',\nLName = '" + lname.Text.ToString() + "',\nAge = " + ageValue + ",\nCome = '" + from.Text.ToString() + "',\nTo = '" + to.Text.ToString() + "' Where Age=" + ageValue + ";";
MessageBox.Show(updateQuery);
OleDbConnection con = new OleDbConnection("provider=Microsoft.JET.OLEDB.4.0; Data Source = Database5.mdb");
OleDbCommand com = new OleDbCommand(updateQuery, con);
con.Open();
com.ExecuteNonQuery();
con.Close();
}
catch (FormatException ex)
{
MessageBox.Show(ex.Message);
}
catch (OleDbException ex)
{
MessageBox.Show(ex.Message);
}
I received that error
Syntax error in Update statement
What is wrong in that SQL Update?
Tools:
Microsoft Access 2003
Microsoft Visual Studio 2010 C#
Please help and thanks in advance
Try getting rid of the \n junk.
string updateQuery = "Update MyTable Set FName = '" + fname.Text.ToString() + "',LName = '" + lname.Text.ToString() + "',Age = " + ageValue + ",Come = '" + from.Text.ToString() + "',To = '" + to.Text.ToString() + "' Where Age=" + ageValue;
Output the result of the concatination and try to run it. If that doesn't work, post the result of the concatination here and someone should be able to help. Without knowing the result of the concatination, it's difficult to know what's wrong.
Try changing the query like this (removing \ns and the final ;)
string updateQuery = "Update MyTable Set FName = '" + fname.Text.ToString() +
"', LName = '" + lname.Text.ToString() + "', Age = " + ageValue +
", Come = '" + from.Text.ToString() + "', To = '" + to.Text.ToString() +
"' Where Age=" + ageValue;
I would suggest you put the Sql Profiler on and trace your update query because it is easy to read the concatenated query string
Hello you can try with this code
StringBuilder stringBuilder = new StringBuilder() ;
stringBuilder.Append("Update MyTable Set FName = ") ;
stringBuilder.Append(fname.Text.ToString()) ;
stringBuilder.Append(",\nLName = ") ;
stringBuilder.Append(lname.Text.ToString()) ;
stringBuilder.Append(",\nAge = ") ;
stringBuilder.Append(ageValue) ;
stringBuilder.Append(",\nCome = ") ;
stringBuilder.Append(from.Text.ToString()) ;
stringBuilder.Append(",\nTo = ") ;
stringBuilder.Append(to.Text.ToString()) ;
stringBuilder.Append(" Where Age=") ;
stringBuilder.Append(ageValue) ;
stringBuilder.Append(";") ;
var result = stringBuilder.ToString();
This is how I write my inline SQL in C sharp:
string strSQL = "";
strSQL += " Update MyTable Set ";
strSQL += " FName = '" + fname.Text.ToString() + "' ";
strSQL += " ,LName = '" + lname.Text.ToString() + "' ";
strSQL += " ,Age = '" + ageValue + "' ";
strSQL += " ,Come = '" + from.Text.ToString() + "' ";
strSQL += " ,To = '" + to.Text.ToString() + "' ";
strSQL += " Where Age = '" + ageValue + "' ";
Easy to read and works fine.
You can also add this just below your query before you connent to your database:
Response.Write(strSQL);
return;
this will show you whats being posted to the server and makes it a little easier to find errors.
Note: I'm building a practice project where my trainer has forbid me to parameterize. I am aware of the security risks, but the site will not be deployed. I'm using a select scope_identity method to grab an auto-incremented value from the SubmissionId column of my table Submissions.
I want to insert that value into two other tables; I've got newSubID declared as a var and I use it in the insert statements, but I get the error message
The name "newSubID" is not permitted in this context. Valid expressions are constants, constant expressions, and (in some contexts) variables. Column names are not permitted.
What am I missing here?
Here's my code:
protected void BtnSubmit_Click(object sender, EventArgs e)
{
string connectionString = System.Configuration.ConfigurationManager.ConnectionStrings["MyConnectionString"].ConnectionString;
String subQuery = "INSERT INTO Submission (Coverage, CurrentCoverage, PrimEx, Retention, EffectiveDate, Commission, Premium, Comments) VALUES ('" + TbCoverage.Text + "','" + TbCurrentCoverage.Text + "','" + TbPrimEx.Text + "','" + TbRetention.Text + "','" + TbEffectiveDate.Text + "','" + TbCommission.Text + "','" + TbPremium.Text + "','" + TbComments.Text + "')"
+ "SELECT CAST (SCOPE_IDENTITY() AS int)";
using (SqlConnection sqlConn = new SqlConnection(connectionString))
{
sqlConn.Open();
SqlCommand subCmd = new SqlCommand(subQuery, sqlConn);
using (subCmd)
{
subCmd.ExecuteNonQuery();
var newSubID = (Int32)subCmd.ExecuteScalar();
String custQuery = "INSERT INTO Customer (CustId, CustName, SicNaic, CustAdd, CustCity, CustState, CustZip, SubId) VALUES ('" + TbCustId.Text + "', '" + TbCustName.Text + "', '" + RblSicNaic.SelectedItem + "', '" + TbCustAddress.Text + "', '" + TbCustCity.Text + "', '" + DdlCustState.SelectedItem + "', '" + TbCustZip.Text + "', newSubID)";
String broQuery = "INSERT INTO Broker (BroId, BroName, BroAdd, BroCity, BroState, BroZip, EntityType, SubId) VALUES ('" + TbBroId.Text + "', '" + TbBroName.Text + "', '" + TbBroAddress.Text + "', '" + TbBroCity.Text + "', '" + DdlBroState.SelectedItem + "', '" + TbBroZip.Text + "', '" + DdlEntity.SelectedItem + "', newSubID)";
SqlCommand custCmd = new SqlCommand(custQuery, sqlConn);
SqlCommand broCmd = new SqlCommand(broQuery, sqlConn);
using (custCmd)
using (broCmd)
{
custCmd.ExecuteNonQuery();
broCmd.ExecuteNonQuery();
Response.Redirect("~/View.aspx?ProductId=" + newSubID);
}
This is called up on the next page like so (I have left the errors as they are in the interest of helping whomever may need to see the problem and solutions, which are listed in answers below):
string x = Request.QueryString["SubmissionId"];
string connectionString = System.Configuration.ConfigurationManager.ConnectionStrings["MyConnectionString"].ConnectionString;
string editCustQuery = "SELECT CustName, SicNaic, CustCity, CustAdd, CustState, CustZip FROM Customer WHERE SubId =" + x;
using (SqlConnection editConn = new SqlConnection(connectionString))
{
editConn.Open();
using (SqlCommand CustCommand = new SqlCommand(editCustQuery, editConn))
{
SqlDataReader dr = CustCommand.ExecuteReader();
dr.Read();
LblCustName.Text = dr.GetString(0);
LblSicNaic.Text = dr.GetString(1);
LblCustCity.Text = dr.GetString(2);
LblCustAddress.Text = dr.GetString(3);
LblCustState.Text = dr.GetString(4);
LblCustZip.Text = dr.GetInt32(5).ToString();
}
It's because you're not concatenating the newSubID into the custQuery / btoQuery SQL statements, but instead your using the literal text "newSubID" in the statement which is invalid here as it will assume "newSubID" is a column name.
i.e.
String custQuery = "INSERT INTO Customer (CustId, CustName, SicNaic, CustAdd, CustCity,
CustState, CustZip, SubId)
VALUES ('" + TbCustId.Text + "', '" + TbCustName.Text + "', '" + RblSicNaic.SelectedItem +
"', '" + TbCustAddress.Text + "', '" + TbCustCity.Text + "', '" +
DdlCustState.SelectedItem + "', '" + TbCustZip.Text + "'," +
newSubID.toString() + ")";
Of course, I'm only giving an answer that uses dynamic SQL like this because of your disclaimer and is not what I'd do in real life!
Answer of AdaTheDev is correct.
I think you have another issue. If you do ExecuteNonQuery and then ExecuteScalar with the same command, you'll insert twice. Use an out-parameter for your scope_id and call only exenonquery or call just exescalar.
//subCmd.ExecuteNonQuery();
var newSubID = (Int32)subCmd.ExecuteScalar();