Click here to Skip to main content
15,884,388 members
Search within:


How do I...asp Implicit conversion from data type varchar to varbinary(max) is not allowed. Use the CONVERT function to run this query
Please Sign up or sign in to vote.
1.00/5 (2 votes)
I have problem "asp Implicit conversion from data type varchar to varbinary(max) is not allowed. Use the CONVERT function to run this query"

please help me.

this code for insert file from file upload to DB.
C#
protected void btnUpload_Click(object sender, EventArgs e)
   {
       Class1 cl = new Class1();


       string filename = Path.GetFileName(fileUpload1.PostedFile.FileName);
       Stream str = fileUpload1.PostedFile.InputStream;
       BinaryReader br = new BinaryReader(str);
       Byte[] size =  br.ReadBytes((int) str.Length);

       string Type = "application/word";

       string insert = cl.InsertUpload(filename, Type, size);}


This class code (class1)

C#
public string InsertUpload(string FileName, string FileType, byte[] FileData)
    {
        string insert = "0";
        {
            string myconstring = ConfigurationManager.AppSettings["Reg2"];
            SqlConnection record = new SqlConnection();
            record.ConnectionString = myconstring;
            record.Open();

            try
            {

                SqlCommand comserv = new SqlCommand(" insert into FileInformation(FileName,FileType,FileData) values('" + FileName + "\', '" + FileType + "\',  '" + FileData + "\' )", record);
                comserv.ExecuteNonQuery();
                insert = "5";
            }
            catch (SqlException ex)
            {
                
            }
            record.Close();
            return insert;
        }
Posted
Add a Solution

2 solutions

Don't do it like that!
Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
Surprisingly, that'll also cure your problem...

When you concatenate an array of bytes into a string:
C#
byte[] data = ...
string s = "Byte Data: " + data;

It calls an implicit ToString on the array - which returns the type of the variable rather than the content as a string of some description.

So use parameterised queries (at all times) and it will pass the content directly:
C#
SqlCommand comserv = new SqlCommand(" insert into FileInformation (FileName,FileType,FileData) values(@FN, @FT, @FD)", record);
comserv.Parameters.AddWithValue("@FN", FileName);
comserv.Parameters.AddWithValue("@FT", FileType);
comserv.Parameters.AddWithValue("@FD", FileData);
comserv.ExecuteNonQuery();
 
Share this answer
 
Posted
Comments
Richard Deeming 9-Jun-15 10:36am    
Snap!
OriginalGriff 9-Jun-15 10:46am    
Great minds, and all that! :laugh:
Andy Lanng 9-Jun-15 10:39am    
5*ed both for explaining SQL Injection dangers :D
Member 11411753 10-Jun-15 2:26am    
Thank you very much for your reply, and thank you for this benefit.

But my question, how can i call from CLASS?????
OriginalGriff 10-Jun-15 4:49am    
Two people have told you what the problem is.
Two people have given you the code to fix it.
Are you asking me to come round and type it in for you?
Your code is vulnerable to SQL Injection[^].

NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

A side-effect of fixing this serious security vulnerability in your code will be that you will also fix your problem:
C#
public string InsertUpload(string FileName, string FileType, byte[] FileData)
{
    const string query = @"insert into FileInformation (FileName, FileType, FileData) values (@FileName, @FileType, @FileData)";
    string myconstring = ConfigurationManager.AppSettings["Reg2"];
    
    using (SqlConnection connection = new SqlConnection(myconstring))
    using (SqlCommand command = new SqlCommand(query, connection))
    {
        command.Parameters.AddWithValue("@FileName", FileName);
        command.Parameters.AddWithValue("@FileType", FileType);
        command.Parameters.AddWithValue("@FileData", FileData);
        
        connection.Open();
        command.ExecuteNonQuery();
        
        return "5";
    }
}


You might also want to look at moving your connection string from the <appSettings> configuration section to the dedicated <connectionStrings> section:
Connection Strings and Configuration Files (ADO.NET)[^]
 
Share this answer
 
Posted
Updated 9-Jun-15 4:39am
v2
Comments
Andy Lanng 9-Jun-15 10:39am    
5*ed both for explaining SQL Injection dangers :D
Member 11411753 10-Jun-15 2:27am    
Thank you very much for your reply, and thank you for this benefit.

But my question, how can i call from CLASS?????
Richard Deeming 10-Jun-15 7:12am    
In exactly the same way you were doing in your question. You just need to replace your version of the InsertUpload method with the version I posted.
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise
Privacy
Cookies
Terms of Use
Last Updated 9 Jun 2015
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900