NEVER use string concatenation to build a SQL query.
ALWAYS use a parameterized query.
At the moment, using string concatenation, your final query will be:
insert into dbo.temp (maquete) VALUES ('System.Byte[]')
Clearly, the literal string
System.Byte[]
is not a valid byte array.
(The byte array is also empty - you declare it, but you never populate it.)
In order to pass a byte array to your query, you
must use a parameter:
using (var connection = new SqlConnection("..."))
using (var command = new SqlCommand("INSERT INTO dbo.temp (maquete) VALUES (@photo)", connection))
{
using (var ms = new MemoryStream())
{
pictureBox2.Image.Save(ms, ImageFormat.Jpeg);
byte[] photo = ms.ToArray();
command.Parameters.AddWithValue("@photo", photo);
}
connection.Open();
command.ExecuteNonQuery();
}
NB: All of the images that you
think you've stored in your table so far are corrupt. You will need to remove and re-add them.
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[
^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[
^]
Query Parameterization Cheat Sheet | OWASP[
^]