Reputation: 27
Image control not being populated by binary data from database
I have an image for every student recorded in the database. However when ever l want to show details of a student. All the other stuff is shown besides the image. My code shows no run-time errors or debugging errors. The Id input for the method is the student number entered so as to show information show that student.
private void Image(string id)
{
byte[] bytes = (byte[])GetData("SELECT Image FROM SI WHERE Username=" + id).Rows[0]["Image"];
string base64String = Convert.ToBase64String(bytes, 0, bytes.Length);
imgPic.ImageUrl = "data:image/jpg;base64," + base64String;
}
private DataTable GetData(string query)
{
DataTable dt = new DataTable();
string constr = ConfigurationManager.ConnectionStrings["tlcString"].ConnectionString;
using (SqlConnection con = new SqlConnection(constr))
{
using (SqlCommand cmd = new SqlCommand(query))
{
using (SqlDataAdapter sda = new SqlDataAdapter())
{
cmd.CommandType = CommandType.Text;
cmd.Connection = con;
sda.SelectCommand = cmd;
sda.Fill(dt);
}
}
return dt;
}
}
Upvotes: 0
Views: 49
Answers (1)
Reputation: 415820
You want to create a completely separate ashx handler or aspx page for this that expects an ID in the URL and does something like the following on page load:
void Page_Load(object sender, EventArgs e)
{
string ID = Request.QueryString["ID"];
byte[] bytes = (byte[])GetData("SELECT Image FROM SI WHERE Username=" + ID;
Response.BinaryWrite(bytes);
}
Then the ASP:Image in your current page can have a conventional URL more like this:
private void Image(string id)
{
imgPic.ImageUrl = "mynewpage.ashx?ID=" + id;
}
But don't do exactly this!
This is crazy-vulernable to Sql Injection attacks. It's practically begging to get you hacked. The problem is in the GetData() method, which lacks any mechanism to parameterize your queries. The method as is effectively forces you to write bad code. You need to change the method to something more like this:
private DataTable GetData(string query, params SqlParameter[] parameters)
{
DataTable dt = new DataTable();
string constr = ConfigurationManager.ConnectionStrings["tlcString"].ConnectionString;
//You can stack these up
using (SqlConnection con = new SqlConnection(constr))
using (SqlCommand cmd = new SqlCommand(query, con))
using (SqlDataAdapter sda = new SqlDataAdapter(cmd))
{
foreach(var p in parameters)
cmd.Parameters.Add(p);
sda.Fill(dt);
}
return dt;
}
And now you can change the Page_Load() to do this:
void Page_Load(object sender, EventArgs e)
{
var userID = new SqlParameter("@Username", SqlDbType.Int);
userID.Value = Request.QueryString["ID"];
byte[] bytes = (byte[])GetData("SELECT Image FROM SI WHERE Username= @Username", userID).Rows[0]["Image"];
Response.BinaryWrite(bytes);
}
When that is done — AND THIS IS IMPORTANT! — go back and check everywhere else that uses the GetData() method to make sure you fix any other places that use string concatenation to put data into a query. This is so important, you might even want to skip the params option on the method, to force a compile error for any query that's not explicitly creating a parameter array, but be sure you get them all.
Upvotes: 2
Related Questions
- Image not showing up from database
- Image appearing as <Binary data> in sql server
- Displaying a byte[] in an image control
- How to retrieve binary image from database using C# in ASP.NET
- Hot to display binary image from db to image box.?8
- How can i retrieve the image stored in binary format from database
- Retrieving image from binary data to imagefield
- Show image from Sql Server in a asp image control
- Displaying image on page from binary data
- SQL <binary data> image type displayed on an ASP.NET page