Click here to Skip to main content
15,742,253 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hello, I have created a database which we use to store and retrieve records that include images. I am able to insert text records as well as images into the database.
My problem is, when I am trying to search records to retrieve and display their image into a picturebox I get "PARAMETER NOT VALID" error. This is the code I used for the picturebox.

This is the code I used:
Dim bytBLOBData() As Byte = datTable.Rows(incount)
Dim stmBLOBData As New MemoryStream(bytBLOBData)
Me.PictuPictureBox.Image = Image.FromStream(stmBLOBData)------(i get the error here)

Please help me, thanks!
Updated 4-Jul-13 3:19am

1 solution

It's probably not that code - it's likely to be the way you save it into the database in the first place. See here: Why do I get a "Parameter is not valid." exception when I read an image from my database?[^]

"what is parameterized query, i dont tnk i hav got an answer. By your comment it means that my image is not actually saving in the what can i do to save it into the database and later retrieve it into a picture box....."

When you build an SQL query by concatenation:
Dim strsql As String = "insert into PersonalPro(SurNames,Gender,DOB,pictu)values('" + SurNamesTextBox.Text + "','" + GenderComboBox.Text + "','" + DOBDateTimePicker.Text + "','"+ PictuPictureBox.ImageLocation + "')"

You are assembling a string but combining other strings, obviously. But this has some effects which aren't immediately apparent. For example:
Dim userName As String = "Mike"
Dim sql As String = "SELECT * FROM myTable WHERE User='" + userName + "'"
Generate a string which SQL can understand:
SELECT * FROM myTable WHERE User='Mike'
But when you use an array of bytes:
Dim data As Byte() = File.ReadAllBytes("D:\Temp\MyPic.jpg")
Dim sql As String = "INSERT INTO myTable (Picture) VALUES ('" & data & "')"
What you get is not the same, because data is not a string, so the default ToString method is implied in order to complete the statement:
Dim data As Byte() = File.ReadAllBytes("D:\Temp\MyPic.jpg")
Dim sql As String = "INSERT INTO myTable (Picture) VALUES ('" & data.ToString & "')"
Since arrays do not implement a ToString override, the default object version is called, wihich returns the name of the class, rather than the data content:
INSERT INTO myTable (Picture) VALUES ('System.Byte[]')
So the value inserted into your database is just that: the text "System.Byte" rather than the file content.
This is what you saw when you wrote the DB content to a file and looked at it.

To get round this, you use what is called a Parametrized query: you use a "place marker" in your SQL statement, and supply a parameter with a value that matches it:
Using con As New SqlConnection(strConnect)
	Using com As New SqlCommand("INSERT INTO myTable (Picture) VALUES (@PIC)", con)
                Dim data As Byte() = File.ReadAllBytes("D:\Temp\MyPic.jpg")
		com.Parameters.AddWithValue("@PIC", data)
	End Using
End Using
The "place marker" in the SQL statement is @PIC which is just a named SQL variable. You then create a Parameter with the same name, and give it the data. Because you aren't playing with string conversions at any time, it all works seamlessly.

This is important!
There is another advantage of using Parameterized queries: which is that it prevent your users from damaging or destroying your database by typing into your text boxes.

No, I'm not joking. If you concatenate strings:
Dim sql As String = "INSERT INTO myTable (Picture) VALUES ('" & myTextBox.Text & "')"
Then exactly what your user types will be sent to SQL server.

So if your user types
Mike');DROP TABLE myTable;--
and presses the "Enter" or "Login" button, then the string sent to SQL is:
INSERT INTO myTable (Picture) VALUES ('Mike');DROP TABLES myTable;--')
Which SQL sees as two separate commands and a comment. It does the select, and will return the data to your application, but it then deletes the table from your database...and you can't get it back.

This is called an SQL Injection attack, and it is the simplest, most stupid, most dangerous mistake any database coder can make. Potentially, it bypasses any security you use, and puts your DB at the complete control of someone on the other side of the world...
If you do the same thing as a parameterized query, nothing nasty happens - so always use them, even for trivial stuff!
Share this answer
TugBest 4-Jul-13 9:50am    
thanks....but my code works in MS access to retrieve image from database but when i use SQL it doesnt work....and right now am using SQL DATABASE
OriginalGriff 4-Jul-13 9:53am    
And did you use *exactly* the same code to insert it in the DB? Did you check the SQL DB content?
TugBest 4-Jul-13 10:13am    
when i check the SQL db content i can see that it has written <binarydata> in the column where i insert the image from the vb platform...but i wanted to display what is in that column...i guess it is the image i inserted which displays in the SQL DB COLUMN as <binary data="">

its like

kofi plt streeT 12 <binary data="">

I did not use the same code to insert it into the DB I used an INSERT STATEMENT .....

Any way my datatype in Ms Acess was Attachment and In SQL is selected IMAGE as my datatype.

THIS IS THE CODE... I USED TO PICK THE IMAGE INTO THE PICTURE BOX and saved it with insert statement

With OpenFileDialog1 'Executes a series of statements making repeated reference to a single object or structure.
.Title = "Please Select a Image" 'title
.InitialDirectory = "C:\" 'browse start directory
.Filter = "JPEG(*.jpg;*.jpeg;*.jpe.*.jfif)|*.jpg; *.jpeg; *.jpe; *.jpe"
.FilterIndex = 0 'index number filter
.FileName = "" 'empty
Dim answ = .ShowDialog
If answ = DialogResult.OK Then 'if answer not cancel, etc..
PictuPictureBox.ImageLocation = .FileName 'picterebox imagelocation = dlg_openfile.filename
'PictuPictureBox.Image = Image.FromFile(OpenFileDialog1.FileName)

End If
End With

Any way my datatype in Ms Acess was Attachment and In SQL i selected IMAGE as my datatype.
OriginalGriff 4-Jul-13 10:54am    
Show the INSERT statement you used for the SQL.
TugBest 5-Jul-13 7:58am    

Dim strsql As String = "insert into PersonalPro(SurNames,Gender,Pictu SurNamesTextBox.Text + "','" + GenderComboBox.Text + "','" + PictuPictureBox.ImageLocation + "')"
Dim strcon As String = "provider=sqloledb;Data Source=vv-PC;Initial Catalog=immdata;Integrated Security=SSPI"
Dim oda As New OleDb.OleDbDataAdapter(strsql, strcon)
Dim dTable As New DTable


This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900