MySql query statement syntax error

I am getting a syntax error for the code below.

I am trying to create a user in the mysql database and add their information to a datagrid control all in one button click using two statements; one to create the actual user, and one to add the user and their additional information to a table on the database and then refresh the datasource which will display the new user's information in the datagrid control.

If anyone knows where i went wrong please feel free to critique my code and let me know; or simply offer more efficient alternatives to what im hoping to achieve.

For those of you that must know, i am running the latest 开发者_高级运维version of MySql server, MySql Workbench, and Visual Basic 2010 Express on a windows 7 based laptop. I'm writing this program in VB.net.

Thanks!

Private Sub Button8_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button8.Click
    Dim sqluser As MySqlCommand = New MySqlCommand(
        "CREATE USER " & txtuser.Text & "@" & frmLogin.txtserver.Text & " IDENTIFIED BY '" & txtpass.Text & "';", con)
    Dim sqlinfo As MySqlCommand = New MySqlCommand(
        "INSERT INTO employee(Name ,Title) VALUES('" & txtname.Text & "','" & txttitle.Text & "';", con)
    Try
        con.Close()
        con.Open()

        sqluser.ExecuteNonQuery()
        MessageBox.Show("User Account successfully created!!")

        sqlinfo.ExecuteNonQuery()

        ' retrieving the administration table.
        DataAdapter1.SelectCommand = sqladmin
        DataAdapter1.Fill(ds, "stratos")
        DataGrid1.DataSource = ds
        DataGrid1.DataMember = "stratos"

        con.Close()
        MessageBox.Show("User Information successfully created!!")


    Catch myerror As MySqlException
        MessageBox.Show("Error Setting Up Account: " & myerror.Message)
    End Try

End Sub

You are missing a ')' at the end of your insert statement.

Dim sqlinfo As MySqlCommand = New MySqlCommand("INSERT INTO employee(Name ,Title ) VALUES('" & txtname.Text & "','" & txttitle.Text & "');"

I would also like to point out that this code will fail if the text has an apostrophe in it, and that it is wide open to SQL Injection. Please read up.

I think you may also need apostrophes around the username and host.

CREATE USER '" & txtuser.Text & "'@'" & frmLogin.txtserver.Text & "' IDENTIFIED BY '" & txtpass.Text & "';"

As for SQL Injection, I would recommend you consider reworking your code to use prepared statements like this. Replace those first two lines with this instead. Basically, you put in little placeholders in your query, and let the database driver handle all of the complex escaping and quoting of things for you. I'm not 100% sure this will work, but I think it's close.

Dim sqluser As MySqlCommand = New MySqlCommand("CREATE USER ?user@?host IDENTIFIED BY ?pass;", con)
sqluser.Parameters.Add("?user", txtuser.Text)
sqluser.Parameters.Add("?host", frmLogin.txtserver.Text)
sqluser.Parameters.Add("?pass", txtpass.Text)
sqluser.Prepare()

Dim sqlinfo As MySqlCommand = New MySqlCommand("INSERT INTO employee(Name ,Title) VALUES( ?user, ?title );", con)
sqlinfo.Parameters.Add("?user", txtuser.Text)
sqlinfo.Parameters.Add("?title", txttitle.Text)
sqlinfo.Prepare()

It has been ages since I did any VB, so this is mostly based on this page. Try to look here if this doesn't quite work. Documentation on Prepare