|
aspx
<asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="False"
DataKeyNames="UserID" DataSourceID="SqlDataSource1">
<Columns>
<asp:BoundField DataField="UserID" HeaderText="UserID" ReadOnly="True"
SortExpression="UserID" />
<asp:TemplateField HeaderText="Image">
<ItemTemplate>
<asp:Image ID="Image2" runat="server" ImageUrl='<%# "Handler.ashx?UserID="+ Eval("UserID") %>' Height="150px" Width="150px"/>
</ItemTemplate>
</asp:TemplateField>
</Columns>
</asp:GridView>
_____________________________________________________________________________________________________________________________________________________________
<asp:SqlDataSource ID="SqlDataSource1" runat="server"
ConnectionString="<%$ ConnectionStrings:ConnectionString %>"
SelectCommand="SELECT [UserID], [Image] FROM [Users] WHERE ([UserID] = @UserID)">
<SelectParameters>
<asp:CookieParameter CookieName="userid" DefaultValue="" Name="UserID"
Type="String" />
</SelectParameters>
</asp:SqlDataSource>
_____________________________________________________________________________________________________________________________________________________________
public class Handler : IHttpHandler
{
string strcon = ConfigurationManager.AppSettings["ConnectionString"].ToString();
public void ProcessRequest(HttpContext context)
{
string imageid = context.Request.QueryString["UserID"];
SqlConnection connection = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
connection.Open();
SqlCommand command = new SqlCommand("select UserID,Image FROM Users where UserID=" + imageid, connection);
SqlDataReader dr = command.ExecuteReader();
dr.Read();
// context.Response.BinaryWrite((Byte[])dr[0]);
context.Response.BinaryWrite((Byte[])dr[dr.GetOrdinal("Image")]);
connection.Close();
context.Response.End();
}
public bool IsReusable
{ ........................ with close properly
_____________________________________________________________________________________________________________________________________________________________
Database
UserID,UserName,Name,Image (UEC80001,Michael,MyName,<Binary data>)(nvarchar(50),nvarchar(50),nvarchar(50),image)
_____________________________________________________________________________________________________________________________________________________________
|
|
|
|
|
Apart from the fact that you're not setting the ContentType[^] of the response, you have a SQL injection vulnerability[^] in your code:
string imageid = context.Request.QueryString["UserID"];
...
new SqlCommand("select UserID,Image FROM Users where UserID=" + imageid, connection);
Anyone with access to your site could call Handler.ashx?UserID=1;DELETE FROM Users; , and your code would happily execute two queries: one to select the image for UserID 1, and one to delete all records from the Users table.
Change your code to use a parameterized query:
public sealed class Handler : IHttpHandler
{
public void ProcessRequest(HttpContext context)
{
string imageid = context.Request.QueryString["UserID"];
string connectionString = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
using (SqlConnection connection = new SqlConnection(connectionString))
using (SqlCommand command = new SqlCommand("SELECT UserID, Image FROM Users WHERE UserID = @UserID", connection))
{
command.Parameters.AddWithValue("@UserID", imageid);
connection.Open();
using (SqlDataReader dr = command.ExecuteReader(CommandBehavior.CloseConnection))
{
if (!dr.Read()) throw new HttpException(404, "Image not found.");
context.Response.ContentType = "image/jpeg";
context.Response.BinaryWrite((byte[])dr[dr.GetOrdinal("Image")]);
}
}
}
public bool IsReusable
{
get { return true; }
}
}
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
appreciate Richard reply~
<asp:sqldatasource id="SqlDataSource1" runat="server"
="" connectionstring="<%$ ConnectionStrings:ConnectionString %>" selectcommand="SELECT [UserID], [Image] FROM [Users] WHERE ([UserID] = @UserID)">
<SelectParameters>
<asp:cookieparameter cookiename="userid" defaultvalue="" name="UserID"
="" type="String">
</SelectParameters>
i using the cookie to show the particular user image,so at my side should how to call?
<asp:TemplateField HeaderText="Image">
<ItemTemplate>
<asp:Image ID="Image1" runat="server" ImageUrl='<%#"Handler.ashx?UserID=1;"+Eval("UserID")%>' Height="150px" Width="150px"/>
</ItemTemplate>
</asp:TemplateField>
ImageUrl='<%#"Handler.ashx?UserID=1;"+Eval("UserID") can i calling by using cookie? at handler cant request cookie @@ other that this handler have other method to display image?
|
|
|
|
|
If you want to use a cookie instead of a query-string value, change your Image to:
<Image ID="Image1" runat="server" ImageUrl="Handler.ashx" Height="150px" Width="150px"/>
and change the start of the ProcessRequest method to:
var cookie = context.Request.Cookies["userid"];
if (null == cookie) throw new HttpException(404, "Cookie not found.");
string imageid = cookie.Value;
NB: You'll still need to use a parameterized command to avoid SQL injection. Cookie values can be altered by the user almost as easily as query-string values.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
sorry for keep on disturb u and thank u very much
By using ImageUrl="Handler.ashx", can show the data on gridview?
i'm first time using handler XD. for me i set the following code at web.config izit correct?
why it will not previous any error message on browser when my handler code got problem.
<system.web>
<httpHandlers>
<add verb="*" path="Handler.ashx" type="ShowImage,System.Web.UI.SimpleHandlerFactory" validate="true" />
</httpHandlers>
<urlMappings enabled="true">
<add url="~/MyProfile.aspx" mappedUrl="~/Handler.ashx"/>
</urlMappings>
</system.web>
The code should be no problem why still cant function, my connection correct ?
public void ProcessRequest(HttpContext context)
{
var cookie = context.Request.Cookies["userid"].Values.ToString();
if (null == cookie) throw new HttpException(404, "Cookie not found.");
string imageid = cookie;
string connectionString = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
using (SqlConnection connection = new SqlConnection(connectionString))
using (SqlCommand command = new SqlCommand("SELECT UserID, Image FROM Users WHERE UserID = @userID", connection))
{
command.Parameters.AddWithValue("@userID", imageid);
connection.Open();
using (SqlDataReader dr = command.ExecuteReader(CommandBehavior.CloseConnection))
{
if (!dr.Read()) throw new HttpException(404, "Image not found.");
context.Response.ContentType = "image/jpeg";
context.Response.BinaryWrite((byte[])dr["Image"]);
}
}
}
|
|
|
|
|
The first lines should be:
var cookie = context.Request.Cookies["userid"];
if (null == cookie) throw new HttpException(404, "Cookie not found.");
string imageid = cookie.Value;
If that still doesn't work, try navigating directly to the handler to see what error it produces.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
how to
navigating directly to the handler ?
|
|
|
|
|
In you web browser, go to the address bar and type in the URL of the handler. The exact URL will depend on your setup; if you're not sure, start with the grid page and replace the "PageName.aspx" with "Handler.ashx" (where "PageName" is the name of your page).
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|