How to store image to database C# / how to convert Byte[] to varbinary(max) C#

Question

I'm trying to insert data into a database, but cannot insert the variable Byte[] bytes . When I change the data type in the database to image, I can insert, but when I change it to varbinary(max) this error shows up:

An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name. Incorrect syntax near ''.

How can I fix this problem?

protected void btnUpload_Click(object sender, EventArgs e)
    {
        HttpPostedFile postedFile = FileUpload1.PostedFile;
        string filename = Path.GetFileName(postedFile.FileName);
        string fileExtension = Path.GetExtension(filename);
        int fileSize = postedFile.ContentLength;
        int FkAlbum = Int32.Parse(ddlSubjects.SelectedValue);
        String PicDetail = DropDownList1.SelectedValue;

        String Artists = System.Configuration.ConfigurationManager.ConnectionStrings["FleetManagementConnectionString"].ConnectionString;
        System.Data.SqlClient.SqlConnection con = new System.Data.SqlClient.SqlConnection(Artists);

        //An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name.
        //Incorrect syntax near ''.An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name.
        //Incorrect syntax near ''.

        if (fileExtension.ToLower() == ".jpg" || fileExtension.ToLower() == ".gif"
            || fileExtension.ToLower() == ".png" || fileExtension.ToLower() == ".bmp")
        {
            Stream stream = postedFile.InputStream;
            BinaryReader binaryReader = new BinaryReader(stream);
            Byte[] bytes = binaryReader.ReadBytes((int)stream.Length);


            System.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand("Insert into Images (ImageName,ImageData,PicDetail,ImageSize,AlbumID) values('" + filename + "','" + bytes + "','" + PicDetail + "'," + fileSize + "," + FkAlbum + ")", con);
            //System.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand("Insert into Images (ImageName,PicDetail,ImageSize,AlbumID) values('" + filename + "','" + PicDetail + "'," + fileSize + "," + FkAlbum + ")", con);


            con.Open();
            cmd.ExecuteNonQuery();
            con.Close();
            lblMessage.Visible = true;
            lblMessage.Text = "ThaNK YOU";



        }
        else
        {
            lblMessage.Visible = true;
            lblMessage.ForeColor = System.Drawing.Color.Red;
            lblMessage.Text = "Only images (.jpg, .png, .gif and .bmp) can be uploaded";
            hyperlink.Visible = false;
        }
    }
}

Answer 1

Use SqlCommand parameters to avoid SQL injection. Don't build a SQL statement string by inserting values. This may actually resolve your problem as well.

SqlCommand command = new SqlCommand(@"INSERT INTO Images (ImageName, ImageData, PicDetail, ImageSize, AlbumID)
    VALUES (@ImageName, @ImageData, @PicDetail, @ImageSize, @AlbumId)", con);

command.Parameters.AddWithValue("@ImageName", filename);
command.Parameters.AddWithValue("@ImageData", bytes);
command.Parameters.AddWithValue("@PicDetail", PicDetail);
command.Parameters.AddWithValue("@ImageSize", fileSize);
command.Parameters.AddWithValue("@AlbumId", FkAlbum);

https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.parameters(v=vs.110).aspx