i need a help

[maddy]

dear folks,

i uploaded the image using the following code :

HttpPostedFile myFile = Picture.PostedFile;
int FileLen = myFile.ContentLength;
string FName=Path.GetFileName (myFile.FileName);
string Extn=FName.Remove(0, (FName.LastIndexOf('.')
+1) );
Label2.Text = Extn;
if( FileLen < 400000 )
{
if(( Extn.ToUpper() == "JPEG" || Extn.ToUpper() ==
"JPG" || Extn.ToUpper() == "BMP" || Extn.ToUpper() == "GIF") )
{
byte[] myData = new byte[FileLen];
myFile.InputStream.Read(myData, 0, FileLen);
Image1.Visible=true;
Image1.ImageUrl=Picture.PostedFile.FileName;

string s="insert into hreimage
values(newid(),'"+Session["EMPNO"].ToString()+"','"+myData+"','"+FName
+"','"+FileLen.ToString()+"','"+Extn+"')";
int i=DAL.Connect.SaveData(s);
if(i>-1)
{
Label1.Visible=true;
Label1.Text= "<font color=blue><b>File
Attached Successfully!!<b></font>";
}
else{Label1.Text="the file already
exists";Label1.Visible=true;}
}
else
{
Response.Write("<h2><font Color = Red>It is
not a valid file</font></h2>");
}
}
else
{
Response.Write("The image size is very Big");
}
its working properly..............

but the problem started in my down loading the image: the code is here
below

MemoryStream ms = new MemoryStream();
SqlConnection cn = DAL.Connect.GetConnection();
try
{
cn.Open();
SqlCommand cmd = new SqlCommand("select image from
hreimage where empno = '"+Label1.Text+"'",cn);
byte[] img = (byte[])cmd.ExecuteScalar();
ms.Write(img,0,img.Length);
Bitmap bp = new Bitmap(ms);
Response.ContentType="image/gif";
bp.Save(Response.OutputStream,ImageFormat.Gif);

}
finally
{
cn.Close ();
ms.Close ();
}


it shows the error that invalid parameter used in the red marked line

please help me out in this yaar.........

 

[Marc Gravell]

For those that are in text, what line is "in red"? It (more or less)
compiles OK for me...

Observations:

SqlCommand cmd = new SqlCommand(
"select image from hreimage where empno = '"+Label1.Text+"'",cn);

A clear invite to SQL injection: http://www.xkcd.com/327/
Never [ever] directly concatenate user input into a SQL command. Ever.
A parameter is the normal solution.

Bitmap bp = new Bitmap(ms);
Response.ContentType="image/gif";
bp.Save(Response.OutputStream,ImageFormat.Gif);

If you stored the format (ContentType) with the original binary in the
database, you could simply write the binary direct to the output
stream, without requiring Bitmap [which is *not* supported from
asp.net: http://msdn2.microsoft.com/en-us/library/system.drawing.aspx]

Marc

 

[Marc Gravell]

Looking again, you aren't re-winding the stream. In this scenario
(assuming you don't alter Bitmap etc) the easiest approach is:

byte[] img = (byte[])cmd.ExecuteScalar();
MemoryStream ms = new MemoryStream(img);
Bitmap bp = new Bitmap(ms);

The second line initializes the memory stream with the buffer, but
sets the position to 0. Your original code leaves the position at the
end of the stream, so there is nothing to read. You could also just
add "ms.Position = 0;" after the Write, but the above is tidier.

Another observation: the SqlConnection, MemoryStream, Bitmap and
SqlCommand classes are all IDisposable; you should be "using" them to
ensure that Dispose() is called; this actually simplifies the code
(note the use of Bitmap etc is still bad; I have patched the SQL
injection, though):

using (SqlConnection cn = DAL.Connect.GetConnection())
using (SqlCommand cmd = new SqlCommand("select image from hreimage
where empno = @empno", cn)) {
cmd.Parameters.Add(new SqlParameter("@empno", Label1.Text));
cn.Open();
byte[] img = (byte[])cmd.ExecuteScalar();
using (MemoryStream ms = new MemoryStream(img))
using (Bitmap bp = new Bitmap(ms)) {
Response.ContentType = "image/gif";
bp.Save(Response.OutputStream, ImageFormat.Gif);
}
}

(if you don't mind composite lines, you could reduce further by
removing "img" and "ms"; simple is good, though...)

Marc

 

[Dror Gluska]

cn.Open();
SqlCommand cmd = new SqlCommand("select image from
hreimage where empno = '"+Label1.Text+"'",cn);

....


I would start with reading about sql injection.

Which line is the red marked line? (Guess google is removing it)

 

[Marc Gravell]

Last post (for now ;-p) - if you wanted to switch to the more
efficient stream from the database (without Bitmap), then something
like:

string empNo = Label1.Text;
using (SqlConnection cn = DAL.Connect.GetConnection())
using (SqlCommand cmd = new SqlCommand("select contenttype, image from
hreimage where empno = @empno", cn)) {
cmd.Parameters.Add(new SqlParameter("@empno", empNo));
cn.Open();
using (SqlDataReader reader = cmd.ExecuteReader(
CommandBehavior.SequentialAccess |
CommandBehavior.CloseConnection
| CommandBehavior.SingleResult | CommandBehavior.SingleRow)) {
if (reader.Read()) {
Response.ContentType = reader.GetString(0);
const int BUFFER_SIZE = 8040; // related to SQL page size
byte[] buffer = new byte[BUFFER_SIZE];
long bytes, offset = 0;
while ((bytes = reader.GetBytes(1, offset, buffer, 0,
BUFFER_SIZE)) > 0) {
Response.OutputStream.Write(buffer, 0, (int)bytes);
offset += bytes;
}
} else { // no row returned
throw new ArgumentException("Record not found: " + empNo);
}
}
}

 

[maddy]

dear folks,

i uploaded the image using the following code :

HttpPostedFile myFile = Picture.PostedFile;
int FileLen = myFile.ContentLength;
string FName=Path.GetFileName (myFile.FileName);
string Extn=FName.Remove(0, (FName.LastIndexOf('.')
+1) );
Label2.Text = Extn;
if( FileLen < 400000 )
{
if(( Extn.ToUpper() == "JPEG" || Extn.ToUpper() ==
"JPG" || Extn.ToUpper() == "BMP" || Extn.ToUpper() == "GIF") )
{
byte[] myData = new byte[FileLen];
myFile.InputStream.Read(myData, 0, FileLen);
Image1.Visible=true;
Image1.ImageUrl=Picture.PostedFile.FileName;

string s="insert into hreimage
values(newid(),'"+Session["EMPNO"].ToString()+"','"+myData+"','"+FName
+"','"+FileLen.ToString()+"','"+Extn+"')";
int i=DAL.Connect.SaveData(s);
if(i>-1)
{
Label1.Visible=true;
Label1.Text= "<font color=blue><b>File
Attached Successfully!!<b></font>";
}
else{Label1.Text="the file already
exists";Label1.Visible=true;}
}
else
{
Response.Write("<h2><font Color = Red>It is
not a valid file</font></h2>");
}
}
else
{
Response.Write("The image size is very Big");
}
its working properly..............

but the problem started in my down loading the image: the code is here
below

MemoryStream ms = new MemoryStream();
SqlConnection cn = DAL.Connect.GetConnection();
try
{
cn.Open();
SqlCommand cmd = new SqlCommand("select image from
hreimage where empno = '"+Label1.Text+"'",cn);
byte[] img = (byte[])cmd.ExecuteScalar();
ms.Write(img,0,img.Length);
Bitmap bp = new Bitmap(ms);
Response.ContentType="image/gif";
bp.Save(Response.OutputStream,ImageFormat.Gif);

}
finally
{
cn.Close ();
ms.Close ();
}

it shows the error that invalid parameter used in the red marked line

please help me out in this yaar.........

i have error on Bitmap bp = new Bitmap(ms);

error is : it shows the error that invalid parameter used

 

[maddy]

...

I would start with reading about sql injection.

Which line is the red marked line? (Guess google is removing it)

______________-

i got error near that Bitmap bp = new Bitmap(ms);

and the error is invalid parameter used

 

[Marc Gravell]

Please clarify whether rewinding the stream (or using the alternative
MemoryStream ctor) helped...

Marc

 

[Lew]

it shows the error that invalid parameter used in the red marked line

Which line is the red marked line? (Guess google [sic] is removing it)

It's not Google. The OP posted plain text; of course there won't be any "red
marked line". The original post never had a red line for Google to remove.

From the OP's header: