我如何... asp不允许从数据类型varchar到varbinary(max)的隐式转换。使用CONVERT函数运行此查询 [英] How do I...asp Implicit conversion from data type varchar to varbinary(max) is not allowed. Use the CONVERT function to run this query
本文介绍了我如何... asp不允许从数据类型varchar到varbinary(max)的隐式转换。使用CONVERT函数运行此查询的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有问题asp不允许从数据类型varchar到varbinary(max)的隐式转换。使用CONVERT函数运行此查询
请帮助我。
这个代码用于从文件上传到DB的插入文件。
protected void btnUpload_Click( object sender,EventArgs e)
{
Class1 cl = new Class1();
string filename = Path.GetFileName(fileUpload1.PostedFile.FileName);
Stream str = fileUpload1.PostedFile.InputStream;
BinaryReader br = new BinaryReader(str);
字节 [] size = br.ReadBytes(( int )str.Length);
string Type = 应用/字;
string insert = cl.InsertUpload(filename,Type,size);}
此类代码(class1)
public string InsertUpload( string FileName, string FileType, byte [] FileData)
{
string insert = 0;
{
string myconstring = ConfigurationManager.AppSettings [ Reg2中];
SqlConnection record = new SqlConnection();
record.ConnectionString = myconstring;
record.Open();
尝试
{
SqlCommand comserv = new SqlCommand( 插入FileInformation(FileName,FileType,FileData)值(' + FileName + \',' + FileType + \',' + FileData + \'),记录);
comserv.ExecuteNonQuery();
insert = 5;
}
catch (SqlException ex)
{
}
record.Close( );
return insert;
}
解决方案
不要这样做!
不要将字符串连接到构建一个SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。请改用参数化查询。
令人惊讶的是,这也将解决您的问题...
当您将一个字节数组连接成一个string:
byte [] data = ...
string s = 字节数据: + data;
它调用数组上的隐式ToString - 它返回变量的类型而不是内容作为某些描述的字符串。
所以使用参数化查询(在任何时候)都会直接传递内容:
SqlCommand comserv = new SqlCommand( 插入FileInformation(FileName,FileType,FileData)值(@FN,@FT ,@ FDD,记录);
comserv.Parameters.AddWithValue( @ FN,FileName);
comserv.Parameters.AddWithValue( @ FT,FileType);
comserv.Parameters.AddWithValue( @ FD,FileData);
comserv.ExecuteNonQuery();
您的代码容易受到 SQL注入 [ ^ ]。
从不使用字符串用于构建SQL查询的串联。 始终使用参数化查询。
在代码中修复此严重安全漏洞的副作用将是还解决您的问题:
public string InsertUpload( string FileName, string FileType, byte [] FileData)
{
const string 查询= @ 插入FileInformation(FileName,FileType,FileData)值(@ FileName,@ FileType,@ FileData)< /跨度>;
string myconstring = ConfigurationManager.AppSettings [ REG2\" ];
使用(SqlConnection connection = new SqlConnection(myconstring))
使用(SqlCommand command = new SqlCommand(查询,连接))
{
command.Parameters.AddWithValue( @ FileName,FileName);
command.Parameters.AddWithValue( @ FileType,FileType);
command.Parameters.AddWithValue( @ FileData,FileData);
connection.Open();
command.ExecuteNonQuery();
return 5 ;
}
}
您可能还想查看从<$ c $移动连接字符串c>< appSettings> 配置部分到专用< connectionStrings>部分:
连接字符串和配置文件(ADO.NET) [ ^ ]
I have problem "asp Implicit conversion from data type varchar to varbinary(max) is not allowed. Use the CONVERT function to run this query"
please help me.
this code for insert file from file upload to DB.
protected void btnUpload_Click(object sender, EventArgs e)
{
Class1 cl = new Class1();
string filename = Path.GetFileName(fileUpload1.PostedFile.FileName);
Stream str = fileUpload1.PostedFile.InputStream;
BinaryReader br = new BinaryReader(str);
Byte[] size = br.ReadBytes((int) str.Length);
string Type = "application/word";
string insert = cl.InsertUpload(filename, Type, size);}
This class code (class1)
public string InsertUpload(string FileName, string FileType, byte[] FileData)
{
string insert = "0";
{
string myconstring = ConfigurationManager.AppSettings["Reg2"];
SqlConnection record = new SqlConnection();
record.ConnectionString = myconstring;
record.Open();
try
{
SqlCommand comserv = new SqlCommand(" insert into FileInformation(FileName,FileType,FileData) values('" + FileName + "\', '" + FileType + "\', '" + FileData + "\' )", record);
comserv.ExecuteNonQuery();
insert = "5";
}
catch (SqlException ex)
{
}
record.Close();
return insert;
} 解决方案
Don't do it like that!
Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
Surprisingly, that'll also cure your problem...
When you concatenate an array of bytes into a string:
byte[] data = ... string s = "Byte Data: " + data;
It calls an implicit ToString on the array - which returns the type of the variable rather than the content as a string of some description.
So use parameterised queries (at all times) and it will pass the content directly:
SqlCommand comserv = new SqlCommand(" insert into FileInformation (FileName,FileType,FileData) values(@FN, @FT, @FD)", record); comserv.Parameters.AddWithValue("@FN", FileName); comserv.Parameters.AddWithValue("@FT", FileType); comserv.Parameters.AddWithValue("@FD", FileData); comserv.ExecuteNonQuery();
Your code is vulnerable to SQL Injection[^].
NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.
A side-effect of fixing this serious security vulnerability in your code will be that you will also fix your problem:
public string InsertUpload(string FileName, string FileType, byte[] FileData) { const string query = @"insert into FileInformation (FileName, FileType, FileData) values (@FileName, @FileType, @FileData)"; string myconstring = ConfigurationManager.AppSettings["Reg2"]; using (SqlConnection connection = new SqlConnection(myconstring)) using (SqlCommand command = new SqlCommand(query, connection)) { command.Parameters.AddWithValue("@FileName", FileName); command.Parameters.AddWithValue("@FileType", FileType); command.Parameters.AddWithValue("@FileData", FileData); connection.Open(); command.ExecuteNonQuery(); return "5"; } }
You might also want to look at moving your connection string from the<appSettings>configuration section to the dedicated<connectionStrings>section:
Connection Strings and Configuration Files (ADO.NET)[^]
这篇关于我如何... asp不允许从数据类型varchar到varbinary(max)的隐式转换。使用CONVERT函数运行此查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
