将图像保存到数据库并再次检索以显示在图片框中c# [英] Save Image to database and retrieve again to display in picturebox c#
问题描述
美好的一天,
我正在尝试将图像保存到sql数据库并再次检索它以显示在图片框中。我在存储图像时没有收到任何错误,但是当我尝试检索它并将其显示在图片框中时,我得到Paramater无效。例外。请帮我找一下我所缺少的东西。
存储图像的代码:
Good day,
I am trying to save an image to a sql database and the retrieve it again to display in a picture box. I am not receiving any errors when storing the image, but when I try to retrieve it and display it in the picturebox I get "Paramater not valid." exception. Please help me find what I am missing.
My code to store the image:
private void btnSave_Click(object sender, EventArgs e)
{
_gymViewModel.SaveGymDetailsToDatabase(txtGymName.Text, txtOwnerName.Text, txtAddress1.Text,
txtAddress2.Text, txtAddress3.Text, txtPrNo.Text,
txtTel.Text, txtFax.Text, picLogo.Image);
}
ViewModel:
ViewModel:
GymManagementService gymManagementService = new GymManagementService();
public List<GymInformation> Information = new List<GymInformation>();
public void SaveGymDetailsToDatabase(string gymName, string gymOwner, string gymAddress,
string gymTown, string gymZip, string gymPrac,
string gymTel, string gymFax, Image gymLogo)
{
gymManagementService.SaveGymDetailsToDatabase(gymName, gymOwner, gymAddress, gymTown, gymZip, gymPrac, gymTel, gymFax, gymLogo);
}
连接数据库:
Connect to database:
public void SaveGymDetailsToDatabase(string gymName, string gymOwner, string gymAddress, string gymTown,
string gymZip, string gymPrac, string gymTel,
string gymFax, Image gymLogo)
{
using (SqlConnection Conn = new SqlConnection(Connect.sConnStr))
{
try
{
Conn.Open();
Byte[] imgData = null;
using (MemoryStream stream = new MemoryStream())
{
gymLogo.Save(stream, ImageFormat.Jpeg);
imgData = stream.ToArray();
}
string sSql = @"INSERT INTO gym_information(gym_name, gym_owner, gym_address_street, gym_address_town, gym_address_zip,
gym_prac_number, gym_telephone, gym_fax, gym_logo)
VALUES('" + gymName + "', '" + gymOwner + "', '" + gymAddress + "', '" + gymTown + "', '" + gymZip +
"', '" + gymPrac + "', '" + gymTel + "', '" + gymFax + "', '" + imgData + "');";
int iReturn = Connect.getDataCommand(sSql, Conn).ExecuteNonQuery();
}
catch
{
}
finally
{
Conn.Close();
Conn.Dispose();
}
}
}
现在我尝试检索并保存在图片框中。
代码:
Now I try to retrieve and save in picture box.
Code:
private void EditGymInformation_Load(object sender, EventArgs e)
{
_gymViewModel.RetrieveGymDetailsFromDatabase();
if (_gymViewModel.CheckIfGymInformationExists() == true)
{
txtGymName.Text = _gymViewModel.Information[0].GymName.ToString();
txtOwnerName.Text = _gymViewModel.Information[0].GymOwner.ToString();
txtAddress1.Text = _gymViewModel.Information[0].GymAddress.ToString();
txtAddress2.Text = _gymViewModel.Information[0].GymTown.ToString();
txtAddress3.Text = _gymViewModel.Information[0].GymZip.ToString();
txtTel.Text = _gymViewModel.Information[0].Tel.ToString();
txtFax.Text = _gymViewModel.Information[0].Fax.ToString();
txtPrNo.Text = _gymViewModel.Information[0].PrNumber.ToString();
picLogo.Image = Image.FromStream(new System.IO.MemoryStream(_gymViewModel.Information[0].GymLogo));
}
}
ViewModel:
ViewModel:
public void RetrieveGymDetailsFromDatabase()
{
Information = gymManagementService.RetrieveInformationFromDatabase();
}
连接数据库:
Connect to database:
public List<GymInformation> RetrieveInformationFromDatabase()
{
using (SqlConnection Conn = new SqlConnection(Connect.sConnStr))
{
try
{
Conn.Open();
var gym_information = new List<GymInformation>();
string sSql = "SELECT * FROM gym_information";
SqlDataReader reader = Connect.getDataCommand(sSql, Conn).ExecuteReader();
while (reader.Read())
{
var information = new GymInformation()
{
Id = Convert.ToInt32(reader["gym_id"]),
GymName = reader["gym_name"].ToString(),
GymOwner = reader["gym_owner"].ToString(),
GymAddress = reader["gym_address_street"].ToString(),
GymTown = reader["gym_address_town"].ToString(),
GymZip = reader["gym_address_zip"].ToString(),
Tel = reader["gym_telephone"].ToString(),
Fax = reader["gym_fax"].ToString(),
PrNumber = reader["gym_prac_number"].ToString(),
GymLogo = (byte[])reader["gym_logo"]
};
gym_information.Add(information);
}
return gym_information;
}
catch (Exception ex)
{
_errorViewModel.RecordAnError(ex, "Error");
return null;
}
finally
{
Conn.Close();
Conn.Dispose();
}
}
}
我缺少什么?请帮助!
What am I missing? Please help!
推荐答案
您的代码容易受到 SQL注入 [ ^ ]。 从不使用字符串连接来构建SQL查询。 总是使用参数化查询。
使用正确参数化的查询也可以解决您的问题。目前,您的gym_logo
列包含文字字符串System.Byte []
,因为您正在调用字节数组上的ToString()
。
Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.
Using a properly parameterized query will also fix your problem. Currently, yourgym_logo
column contains the literal string"System.Byte[]"
, since you're callingToString()
on the byte array.
public void SaveGymDetailsToDatabase(
string gymName, string gymOwner, string gymAddress, string gymTown,
string gymZip, string gymPrac, string gymTel,
string gymFax, Image gymLogo)
{
const string CommandText = @"INSERT INTO gym_information (gym_name, gym_owner, gym_address_street, gym_address_town, gym_address_zip, gym_prac_number, gym_telephone, gym_fax, gym_logo) "
+ @"VALUES (@gym_name, @gym_owner, @gym_address_street, @gym_address_town, @gym_address_zip, @gym_prac_number, @gym_telephone, @gym_fax, @gym_logo)";
byte[] imageData;
if (gymLogo == null)
{
imageData = null;
}
else
{
using (MemoryStream stream = new MemoryStream())
{
gymLogo.Save(stream, ImageFormat.Jpeg);
imageData = stream.ToArray();
}
}
using (SqlConnection connection = new SqlConnection(Connect.sConnStr))
using (SqlCommand command = new SqlCommand(CommandText, connection))
{
command.Parameters.AddWithValue("@gym_name", gymName);
command.Parameters.AddWithValue("@gym_owner", gymOwner);
command.Parameters.AddWithValue("@gym_address_street", gymAddress);
command.Parameters.AddWithValue("@gym_address_town", gymTown);
command.Parameters.AddWithValue("@gym_address_zip", gymZip);
command.Parameters.AddWithValue("@gym_prac_number", gymPrac);
command.Parameters.AddWithValue("@gym_telephone", gymTel);
command.Parameters.AddWithValue("@gym_fax", gymFax);
command.Parameters.AddWithValue("@gym_logo", imageData);
connection.Open();
command.ExecuteNonQuery();
}
}
你想知道关于SQL注入的一切(但不敢问)特洛伊亨特 [ ^ ]
如何在没有技术术语的情况下解释SQL注入? |信息安全堆栈交换 [ ^ ]
查询参数化备忘单| OWASP [ ^ ]
SQL注入攻击机制Pluralsight [ ^ ]
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
SQL injection attack mechanics | Pluralsight [^]
这篇关于将图像保存到数据库并再次检索以显示在图片框中c#的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!