Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
Hi every one.
I have file with less than 10 mbyte
I want save it into sql. I convert it to array of bytes.then save it into sql.type of this field in sql is varbinary(max).
when I retrieve file from sql size of file is 13 byte.
where is my bug?
Code that I use for Convert File to Array Of bytes
    public static byte[] ConvertFileToBytes(string location, ref string FileName)
        {
 
            FileStream fs = new FileStream(location, FileMode.Open, FileAccess.Read);
 
            BinaryReader reader = new BinaryReader(fs);
 
            byte[] data = reader.ReadBytes((int)fs.Length);
            FileName = fs.Name.Substring(fs.Name.LastIndexOf("\\") + 1);
 
            fs.Close();
            return data;
        }
Code that I use for Save data into Sql
       internal static void SaveAutocadFileOnDataBase(string MapCode, byte[] dataElecMap, string dataElecMapName, byte[] dataCivilMap, string dataCivilMapName, byte[] dataArchiMap, string dataArchiMapName, byte[] dataMechaMap, string dataMechaMapName)
        {
            string sqlcommand = string.Concat("INSERT INTO AutoCadFiles VALUES ('", MapCode, "' , ", "cast ('", dataElecMap, "' as varbinary(max)),", " '", dataElecMapName, "' ",
                                       " , cast ('", dataCivilMap, "' as varbinary(max)) ,", " '", dataCivilMapName, "' ", " , cast ('", dataArchiMap, "' as varbinary(max)) ,", " '", dataArchiMapName, "' ",
                                       " , cast ('", dataMechaMap, "' as varbinary(max)) ,", " '", dataMechaMapName, "' ", ")");
            ExecuteNonQuery(sqlcommand);
        }
Code that I use for Retrieve data from Sql
        private static void GetBinaryFiles(string MapNumber, string MapType)
        {
            byte[] fileread = new byte[10000000];
            byte[] file = null;
            string fileName = null;
            SqlConnection SqlConnction = null;
            DataTable dt = new DataTable();
            string SqlCommand = "Select " + MapType + "Name From AutoCadFiles  Where MapCode ='" + MapNumber + "'";
            // string SqlCommand = "Select Description From PictureTable  Where PkId ='3'";
            SqlCommand sqlcom = GetConnection(SqlCommand, ref  SqlConnction);
            sqlcom.Parameters.Add("@MapCode", SqlDbType.Int).Value = MapNumber;
            fileName = (string)sqlcom.ExecuteScalar();
            sqlcom.Dispose();
            // SqlConnction.Close();
            SqlCommand = "Select   CAST(ArchitecturalMap  As varbinary(max)) From AutoCadFiles  Where MapCode ='" + MapNumber + "'";
            sqlcom = GetConnection(SqlCommand, ref  SqlConnction);
            sqlcom.Parameters.Add("@MapCode", SqlDbType.Int).Value = MapNumber;
            fileread = (byte[])sqlcom.ExecuteScalar();
            SqlConnction.Close();
           }
 
 
thanks.
Posted 13-Feb-13 6:37am
Comments
joshrduncan2012 at 13-Feb-13 11:43am
   
What errors are you getting? If you aren't getting any errors, what kind of output are you getting? We won't decipher your code for you unless you tell us what you are getting that is not expected.

1 solution

Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

Oh dear, oh dear, oh dear.
 
What do you think is going to happen when you execute that insert code? Answer: the concatentated SQL statement is going to be passed as is to SQL. All 10MB of it. Now, there are a few problems here:
0) Always list your field names when you do an INSERT - it makes your code more future proof
1) SQL has a maximum query length of 32K (this may have changed in the latest version, but I hope not)
2) As soon as your file contains a byte which happens to be a quote character, your query will curl up and die.
3) You are leaving yourself wide open to SQL Inhjection attacks.
 
Use a parameterised query:
using (SqlConnection con = new SqlConnection(strConnect))
    {
    con.Open();
    using (SqlCommand com = new SqlCommand("INSERT INTO AutoCadFiles (myColumn1) VALUES (@DMM))", con))
        {
        com.Parameters.AddWithValue("@DMM", dataMechaMap);
        com.ExecuteNonQuery();
        }
    }
Instead of
using (SqlConnection con = new SqlConnection(strConnect))
    {
    con.Open();
    using (SqlCommand com = new SqlCommand("INSERT INTO AutoCadFiles (myColumn1) VALUES (cast ('", dataMechaMap, "' as varbinary(max))), con))
        {
        com.ExecuteNonQuery();
        }
    }
 
(I have only done one field to illustrate it)
  Permalink  
Comments
Marcus Kramer at 13-Feb-13 12:50pm
   
+5.
Maciej Los at 13-Feb-13 13:11pm
   
Agree, +5!
My favorite words in this solution: "Oh dear, oh dear, oh dear."
abbaspirmoradi at 14-Feb-13 6:21am
   
Thanks Dear Kramer.
Your code Resolved My problem .
your Code is very very Good Response For Me.
Thanks a lot.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



Advertise | Privacy | Mobile
Web01 | 2.8.150327.1 | Last Updated 13 Feb 2013
Copyright © CodeProject, 1999-2015
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100