Picturebox参数错误 [英] Picturebox parameter error

问题描述

您好，我创建了一个数据库，用于存储和检索包含图像的记录。我能够将文本记录和图像插入到数据库中。

我的问题是，当我尝试搜索记录以检索并将图像显示到图片框中时，我得到PARAMETER NOT VALID错误。这是我用于图片盒的代码。



这是我使用的代码：

Hello, I have created a database which we use to store and retrieve records that include images. I am able to insert text records as well as images into the database.
My problem is, when I am trying to search records to retrieve and display their image into a picturebox I get "PARAMETER NOT VALID" error. This is the code I used for the picturebox.

This is the code I used:

Dim bytBLOBData() As Byte = datTable.Rows(incount)
Dim stmBLOBData As New MemoryStream(bytBLOBData)
Me.PictuPictureBox.Image = Image.FromStream(stmBLOBData)------(i get the error here)

请帮忙我，谢谢！

Please help me, thanks!

推荐答案

这可能不是那个代码 - 它可能是你首先将它保存到数据库中的方式。请参阅此处：为什么我会得到一个参数无效。我从数据库中读取图像时出现异常？ [ ^ ]





什么是参数化查询，我不知道我得到了答案。通过你的评论意味着我的图像实际上没有保存在数据库中....所以我该怎么做才能将它保存到数据库中，然后检索它进入图片框.....



当您通过连接构建SQL查询时：

It's probably not that code - it's likely to be the way you save it into the database in the first place. See here: Why do I get a "Parameter is not valid." exception when I read an image from my database?[^]


"what is parameterized query, i dont tnk i hav got an answer. By your comment it means that my image is not actually saving in the database....so what can i do to save it into the database and later retrieve it into a picture box....."

When you build an SQL query by concatenation:

Dim strsql As String = "insert into PersonalPro(SurNames,Gender,DOB,pictu)values('" + SurNamesTextBox.Text + "','" + GenderComboBox.Text + "','" + DOBDateTimePicker.Text + "','"+ PictuPictureBox.ImageLocation + "')"

你显然是组装一个字符串，但结合其他字符串。但这有一些效果并不是很明显。例如：

You are assembling a string but combining other strings, obviously. But this has some effects which aren't immediately apparent. For example:

Dim userName As String = "Mike"
Dim sql As String = "SELECT * FROM myTable WHERE User='" + userName + "'"

生成一个SQL可以理解的字符串：

Generate a string which SQL can understand:

SELECT * FROM myTable WHERE User='Mike'

但是当你使用一个字节数组时：

But when you use an array of bytes:

Dim data As Byte() = File.ReadAllBytes("D:\Temp\MyPic.jpg")
Dim sql As String = "INSERT INTO myTable (Picture) VALUES ('" & data & "')"

你得到的是不一样的，因为 data 不是字符串，因此隐含默认的ToString方法以完成语句：

What you get is not the same, because data is not a string, so the default ToString method is implied in order to complete the statement:

Dim data As Byte() = File.ReadAllBytes("D:\Temp\MyPic.jpg")
Dim sql As String = "INSERT INTO myTable (Picture) VALUES ('" & data.ToString & "')"

由于数组未实现ToString覆盖，因此默认对象版本被调用，wihich返回类的名称，而不是数据内容：

Since arrays do not implement a ToString override, the default object version is called, wihich returns the name of the class, rather than the data content:

INSERT INTO myTable (Picture) VALUES ('System.Byte[]')

因此插入数据库的值就是：文本System.Byte而不是文件内容。

这是你在编写数据库时看到的内容到文件并查看它。



为了解决这个问题，你使用了所谓的参数化查询：你在SQL语句中使用位置标记 ，并提供一个与其匹配的值的参数：

So the value inserted into your database is just that: the text "System.Byte" rather than the file content.
This is what you saw when you wrote the DB content to a file and looked at it.

To get round this, you use what is called a Parametrized query: you use a "place marker" in your SQL statement, and supply a parameter with a value that matches it:

Using con As New SqlConnection(strConnect)
	con.Open()
	Using com As New SqlCommand("INSERT INTO myTable (Picture) VALUES (@PIC)", con)
                Dim data As Byte() = File.ReadAllBytes("D:\Temp\MyPic.jpg")
		com.Parameters.AddWithValue("@PIC", data)
		com.ExecuteNonQuery()
	End Using
End Using

SQL语句中的位置标记是 @PIC ，它只是一个命名的SQL变量。然后，您创建一个具有相同名称的参数，并为其提供数据。因为你不是在玩任何字符串转换，所以它都可以无缝地工作。



这很重要！

使用参数化查询还有另一个好处：它可以防止用户通过在文本框中输入来破坏或破坏数据库。



否，我不是在开玩笑。如果你连接字符串：

The "place marker" in the SQL statement is @PIC which is just a named SQL variable. You then create a Parameter with the same name, and give it the data. Because you aren't playing with string conversions at any time, it all works seamlessly.

This is important!
There is another advantage of using Parameterized queries: which is that it prevent your users from damaging or destroying your database by typing into your text boxes.

No, I'm not joking. If you concatenate strings:

Dim sql As String = "INSERT INTO myTable (Picture) VALUES ('" & myTextBox.Text & "')"

然后 确切地将您的用户类型发送到SQL服务器。



因此，如果您的用户类型

Then exactly what your user types will be sent to SQL server.

So if your user types

Mike');DROP TABLE myTable;--

并按Enter或Login按钮，然后发送字符串到SQL是：

and presses the "Enter" or "Login" button, then the string sent to SQL is:

INSERT INTO myTable (Picture) VALUES ('Mike');DROP TABLES myTable;--')

哪个SQL看作两个单独的命令和注释。它执行选择，并将数据返回到您的应用程序，但它会从您的数据库中删除该表...并且您无法将其恢复。



这称为SQL注入攻击，它是任何数据库编码器都可以做出的最简单，最愚蠢，最危险的错误。它可能绕过您使用的任何安全性，并将您的数据库置于世界另一端的某个人的完全控制之下...

如果您执行与参数化查询相同的操作，则没有任何讨厌发生 - 所以总是使用它们，即使是琐碎的东西！

Which SQL sees as two separate commands and a comment. It does the select, and will return the data to your application, but it then deletes the table from your database...and you can't get it back.

This is called an SQL Injection attack, and it is the simplest, most stupid, most dangerous mistake any database coder can make. Potentially, it bypasses any security you use, and puts your DB at the complete control of someone on the other side of the world...
If you do the same thing as a parameterized query, nothing nasty happens - so always use them, even for trivial stuff!

这篇关于Picturebox参数错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！