i need a help
maddy
i uploaded the image using the following code :
HttpPostedFile myFile = Picture.PostedFile;
int FileLen = myFile.ContentLength;
string FName=Path.GetFileName (myFile.FileName);
string Extn=FName.Remove(0, (FName.LastIndexOf('.')
+1) );
Label2.Text = Extn;
if( FileLen < 400000 )
{
if(( Extn.ToUpper() == "JPEG" || Extn.ToUpper() ==
"JPG" || Extn.ToUpper() == "BMP" || Extn.ToUpper() == "GIF") )
{
byte[] myData = new byte[FileLen];
myFile.InputStream.Read(myData, 0, FileLen);
Image1.Visible=true;
Image1.ImageUrl=Picture.PostedFile.FileName;
string s="insert into hreimage
values(newid(),'"+Session["EMPNO"].ToString()+"','"+myData+"','"+FName
+"','"+FileLen.ToString()+"','"+Extn+"')";
int i=DAL.Connect.SaveData(s);
if(i>-1)
{
Label1.Visible=true;
Label1.Text= "<font color=blue><b>File
Attached Successfully!!<b></font>";
}
else{Label1.Text="the file already
exists";Label1.Visible=true;}
}
else
{
Response.Write("<h2><font Color = Red>It is
not a valid file</font></h2>");
}
}
else
{
Response.Write("The image size is very Big");
}
its working properly..............
but the problem started in my down loading the image: the code is here
below
MemoryStream ms = new MemoryStream();
SqlConnection cn = DAL.Connect.GetConnection();
try
{
cn.Open();
SqlCommand cmd = new SqlCommand("select image from
hreimage where empno = '"+Label1.Text+"'",cn);
byte[] img = (byte[])cmd.ExecuteScalar();
ms.Write(img,0,img.Length);
Bitmap bp = new Bitmap(ms);
Response.ContentType="image/gif";
bp.Save(Response.OutputStream,ImageFormat.Gif);
}
finally
{
cn.Close ();
ms.Close ();
}
it shows the error that invalid parameter used in the red marked line
please help me out in this yaar.........
--
regards
Sarvesh
Marc Gravell
compiles OK for me...
Observations:
> SqlCommand cmd = new SqlCommand(
> "select image from hreimage where empno = '"+Label1.Text+"'",cn);
A clear invite to SQL injection: http://www.xkcd.com/327/
Never [ever] directly concatenate user input into a SQL command. Ever.
A parameter is the normal solution.
> Bitmap bp = new Bitmap(ms);
> Response.ContentType="image/gif";
> bp.Save(Response.OutputStream,ImageFormat.Gif);
If you stored the format (ContentType) with the original binary in the
database, you could simply write the binary direct to the output
stream, without requiring Bitmap [which is *not* supported from
asp.net: http://msdn2.microsoft.com/en-us/library/system.drawing.aspx]
Marc
Dror Gluska
...
> cn.Open();
> SqlCommand cmd = new SqlCommand("select image from
> hreimage where empno = '"+Label1.Text+"'",cn);
I would start with reading about sql injection.
Which line is the red marked line? (Guess google is removing it)
Marc Gravell
(assuming you don't alter Bitmap etc) the easiest approach is:
byte[] img = (byte[])cmd.ExecuteScalar();
MemoryStream ms = new MemoryStream(img);
Bitmap bp = new Bitmap(ms);
The second line initializes the memory stream with the buffer, but
sets the position to 0. Your original code leaves the position at the
end of the stream, so there is nothing to read. You could also just
add "ms.Position = 0;" after the Write, but the above is tidier.
Another observation: the SqlConnection, MemoryStream, Bitmap and
SqlCommand classes are all IDisposable; you should be "using" them to
ensure that Dispose() is called; this actually simplifies the code
(note the use of Bitmap etc is still bad; I have patched the SQL
injection, though):
using (SqlConnection cn = DAL.Connect.GetConnection())
using (SqlCommand cmd = new SqlCommand("select image from hreimage
where empno = @empno", cn)) {
cmd.Parameters.Add(new SqlParameter("@empno", Label1.Text));
cn.Open();
byte[] img = (byte[])cmd.ExecuteScalar();
using (MemoryStream ms = new MemoryStream(img))
using (Bitmap bp = new Bitmap(ms)) {
Response.ContentType = "image/gif";
bp.Save(Response.OutputStream, ImageFormat.Gif);
}
}
(if you don't mind composite lines, you could reduce further by
removing "img" and "ms"; simple is good, though...)
Marc
Marc Gravell
efficient stream from the database (without Bitmap), then something
like:
string empNo = Label1.Text;
using (SqlConnection cn = DAL.Connect.GetConnection())
using (SqlCommand cmd = new SqlCommand("select contenttype, image from
hreimage where empno = @empno", cn)) {
cmd.Parameters.Add(new SqlParameter("@empno", empNo));
cn.Open();
using (SqlDataReader reader = cmd.ExecuteReader(
CommandBehavior.SequentialAccess |
CommandBehavior.CloseConnection
| CommandBehavior.SingleResult | CommandBehavior.SingleRow)) {
if (reader.Read()) {
Response.ContentType = reader.GetString(0);
const int BUFFER_SIZE = 8040; // related to SQL page size
byte[] buffer = new byte[BUFFER_SIZE];
long bytes, offset = 0;
while ((bytes = reader.GetBytes(1, offset, buffer, 0,
BUFFER_SIZE)) > 0) {
Response.OutputStream.Write(buffer, 0, (int)bytes);
offset += bytes;
}
} else { // no row returned
throw new ArgumentException("Record not found: " + empNo);
}
}
}
maddy
i have error on Bitmap bp = new Bitmap(ms);
error is : it shows the error that invalid parameter used
maddy
______________-
i got error near that Bitmap bp = new Bitmap(ms);
and the error is invalid parameter used
Marc Gravell
MemoryStream ctor) helped...
Marc
Lew
> it shows the error that invalid parameter used in the red marked line
Dror Gluska wrote:
>> Which line is the red marked line? (Guess google [sic] is removing it)
It's not Google. The OP posted plain text; of course there won't be any "red
marked line". The original post never had a red line for Google to remove.
From the OP's header:
> Content-Type: text/plain; charset="iso-8859-1"
--
Lew