这总是显示参数无效.....为什么？ [英] this always showing parameter is not valid..... why?

问题描述

Private Sub DgvList_CellContentClick(sender As Object, e As DataGridViewCellEventArgs) Handles DgvList.CellContentClick

    Cmd.Connection = Con

    'Dim BWriter As New IO.BinaryWriter(New IO.MemoryStream)
    Dim Img As String
    Img = DgvList.Rows(DgvList.CurrentRow.Index).Cells("DgvPID").Value.ToString
    Cmd.CommandText = "SELECT Photo FROM Hospital WHERE ID  = '" & Img & "'"

    Dim Strm As New MemoryStream
    Dim imge As Byte() = DirectCast(Cmd.ExecuteScalar, Byte())
    Strm.Write(imge, 0, imge.Length)
    Dim BM As New Bitmap(Strm)
    PicPhoto.Image = BM

End Sub

推荐答案

这是在一起添加字符串时发生的情况...不要连接字符串来构建一个SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。改为使用参数化查询。



然后看到这里：为什么我得到参数无效。我从数据库中读取图像时出现异常？ [ ^ ] - 代码是C＃，但很明显。

This is what happens when you add strings together... Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

And then see here: Why do I get a "Parameter is not valid." exception when I read an image from my database?[^] - the code is C#, but it's pretty obvious.

这篇关于这总是显示参数无效.....为什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！