使用asp.net从SQL数据库检索二进制数据
[英]retrieve Binary Data from SQL Database with asp.net
问题描述
I want to retrieve Binary Data from SQL Database with asp.net .but the data that is shown in the output does not match with the data that i have inserted. 
我想使用asp.net从SQL数据库中检索二进制数据,但是输出中显示的数据与我插入的数据不匹配。 this is my code: 这是我的代码:
string EQuery = "SELECT * FROM Ph_Tbl_Contacts WHERE (Contact_ID =" + Contact_ID + ")";
DataSet DSs = new DataSet();
DataTable dt = new DataTable();
DataRow dr = dt.NewRow();
DSs = DB.ExecuteQueryData(EQuery);
dt = DSs.Tables[0];
// dr = dt.NewRow();
dr = dt.Rows[0];
byte[] pic;
byte[] raw = (byte[])dr["Contact_CardImage"];
// Session[OpenDialog.STORED_IMAGE] = raw ;
and this is insert part: 这是插入部分:
byte[] IMAGEbYTE ;
IMAGEbYTE = (byte[])(Session["SessionImage"]);
string Query = "INSERT INTO Ph_Tbl_Contacts (Contact_Name, Contact_LName, " +
"Contact_Company, Contact_Email, Contact_Tel, " +
"Contact_Mobile,Contact_CardImage,Is_Public,User_ID,Save_Date)" +
"VALUES (N'" + Txt_Name.Text + "', N'" + Txt_LastName.Text + "', N'" +
Txt_CompanyName.Text + "', N'" + Txt_Mail.Text + "', N'" +
Txt_Telephone.Text + "', N'" + Txt_Mobile.Text + "','" +
IMAGEbYTE + "','" + CheckValue + "'," +
Session["User_ID"] + ", N'" + DateStr + "')";
DB.ExecuteQueryNoData(Query) ;
1 个解决方案
解决方案1
5 已采纳 2012-12-31 10:26:56
Alright, let's start with cleaning your code. 好了,让我们从清理代码开始。 The first thing is to fix your INSERT code, because right now it is vulnerable to SQL injection. 第一件事是修复您的INSERT代码,因为现在它很容易受到SQL注入的攻击。 You need to use parametrized queries: 您需要使用参数化查询:
using (var conn = new SqlConnection("Your ConnectionString comes here"))
using (var cmd = conn.CreateCommand())
{
conn.Open();
cmd.CommandText =
@"INSERT INTO Ph_Tbl_Contacts
(Contact_Name,
Contact_LName,
Contact_Company,
Contact_Email,
Contact_Tel,
Contact_Mobile,
Contact_CardImage,
Is_Public,
User_ID,
Save_Date)
VALUES
(@Contact_Name,
@Contact_LName,
@Contact_Company,
@Contact_Email,
@Contact_Tel,
@Contact_Mobile,
@Contact_CardImage,
@Is_Public,
@User_ID,
@Save_Date)
";
cmd.Parameters.AddWithValue("@Contact_Name", Txt_Name.Text);
cmd.Parameters.AddWithValue("@Contact_LName", Txt_LastName.Text);
cmd.Parameters.AddWithValue("@Contact_Company", Txt_CompanyName.Text);
cmd.Parameters.AddWithValue("@Contact_Email", Txt_Mail.Text);
cmd.Parameters.AddWithValue("@Contact_Tel", Txt_Telephone.Text);
cmd.Parameters.AddWithValue("@Contact_Mobile", Txt_Mobile.Text);
cmd.Parameters.AddWithValue("@Contact_CardImage", IMAGEbYTE);
cmd.Parameters.AddWithValue("@Is_Public", CheckValue);
cmd.Parameters.AddWithValue("@User_ID", Session["User_ID"]);
cmd.Parameters.AddWithValue("@Save_Date", DateStr);
cmd.ExecuteNonQuery();
}
Here's it's worth mentioning that if the Save_Date column in your database is a datetime you should pass an instance of DateTime for the parameter and not be attempting to convert it to string => DateStr must be a DateTime. 值得一提的是,如果数据库中的Save_Date列是datetime ,则应为该参数传递DateTime实例,而不要尝试将其转换为字符串=> DateStr必须是DateTime。
Alright, now that you have correctly inserted the record into the database you could read it: 好了,现在您已将记录正确插入数据库中,您可以读取它:
using (var conn = new SqlConnection("Your ConnectionString comes here"))
using (var cmd = conn.CreateCommand())
{
conn.Open();
cmd.CommandText =
@"SELECT
Contact_CardImage
FROM
Ph_Tbl_Contacts
WHERE
Contact_ID = @Contact_ID
";
cmd.Parameters.AddWithValue("@Contact_ID", Txt_Name.Text);
using (var reader = cmd.ExecuteReader())
{
if (reader.Read())
{
byte[] raw = (byte[])reader.Items["Contact_CardImage"];
// TODO: do something with the raw data
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.