I'm trying to read an image from a SQL Server database, but I'm get an error:
Parameter is not valid
Who can help me? How to fix it?
byte[] im = connection.ReadImg(id);
if (im != null)
{
MemoryStream st1 = new MemoryStream(im);
pictureBox1.Image = Image.FromStream(st1);
}
else
pictureBox1.Image = Image.FromFile(fn);
public byte[] ReadImg(string id)
{
cmd.Connection = con;
cmd.CommandText = "SELECT photo FROM User WHERE id=" + id;
byte[] image = null;
con.Open();
try
{
image = (byte[])cmd.ExecuteScalar();
}
catch
{
image = null;
}
con.Close();
return image;
}
If id is a string, you have to pass it as a string:
cmd.CommandText = "SELECT photo FROM User WHERE id=#id";
cmd.Parameters.AddWithValue("#id", id);
If not using the recommended parameter way, the problem is you need to have the string parameter enclosed in single quotes:
cmd.CommandText = "SELECT photo FROM User WHERE id='" + id + "'";
This is considered bad practice.
The SELECT statement does not return a scalar; you need to use ExecuteReader or similar;
SqlDataReader reader = cmd.ExecuteReader();
using(reader)
{
while(reader.Read())
{
// Do something with reader["photo"].
}
}
To provide more we need the data types of id and photo.
Related
I am sort of new to login feature for projects and am trying to do logins for my group, which consists of 3 users, namely Nurse, Patient and Pharmacist. I think I am about to complete the loin process but I have a problem with one of my methods, getPosition() in my LoginDAO.cs. So far, I have not done any login codes for patient and pharmacist as i will need my group mates' parts for it to work, but shown below is what I have done. Somehow, login(string nric, string pw) works, but not getPosition(string nric). This is the error that i get from my error log:
Exception: Must declare the scalar variable "#paraNRIC". Source: LoginDAO.getPosition
Thanks in advance :D
protected void btnLogin_Click(object sender, EventArgs e)
{
login login = new login();
login.nric = tbLoginID.Text;
login.pw = tbPassword.Text;
if (login.userLogin(login.nric, login.pw))
{
if (login.getPosition(login.nric) == "Nurse")
{
Response.Redirect("Nurse.aspx");
}
else if (login.getPosition(login.nric) == "Patient")
{
Response.Redirect("Patient.aspx");
}
else if (login.getPosition(login.nric) == "Pharmacist")
{
Response.Redirect("PharmacistDisplay.aspx");
}
}
else
{
lblErr.Text = "Invalid account.";
}
}
public bool login(string nric, string pw)
{
bool flag = false;
SqlCommand cmd = new SqlCommand();
StringBuilder sqlStr = new StringBuilder();
sqlStr.AppendLine("SELECT Password from Position");
sqlStr.AppendLine("Where NRIC = #paraNRIC");
try
{
SqlConnection myconn = new SqlConnection(DBConnect);
cmd = new SqlCommand(sqlStr.ToString(), myconn);
cmd.Parameters.AddWithValue("#paraNRIC", nric);
DataTable dt = new DataTable();
SqlDataAdapter da = new SqlDataAdapter(cmd);
da.Fill(dt);
if (dt == null)
{
flag = false;
}
else
{
string dbhashedpw = dt.Rows[0]["Password"].ToString();
flag = Helper.VerifyHash(pw, "SHA512", dbhashedpw);
}
}
catch (Exception exc)
{
logManager log = new logManager();
log.addLog("NurseDAO.login", sqlStr.ToString(), exc);
}
return flag;
}
public string getPosition(string nric)
{
string dbPosition = "";
int result = 0;
SqlCommand cmd = new SqlCommand();
StringBuilder sqlStr = new StringBuilder();
sqlStr.AppendLine("SELECT Position from Position ");
sqlStr.AppendLine("where NRIC = #paraNRIC");
cmd.Parameters.AddWithValue("#paraNRIC", nric);
try
{
SqlConnection myconn = new SqlConnection(DBConnect);
cmd = new SqlCommand(sqlStr.ToString(), myconn);
DataTable dt = new DataTable();
SqlDataAdapter da = new SqlDataAdapter(cmd);
da.Fill(dt);
myconn.Open();
result = cmd.ExecuteNonQuery();
dbPosition = dt.Rows[0]["Position"].ToString();
myconn.Close();
}
catch (Exception exc)
{
logManager log = new logManager();
log.addLog("LoginDAO.getPosition", sqlStr.ToString(), exc);
}
return dbPosition;
`}
Your error is here:
SqlCommand cmd = new SqlCommand();
// lines omitted
cmd.Parameters.AddWithValue("#paraNRIC", nric);
try
{
SqlConnection myconn = new SqlConnection(DBConnect);
cmd = new SqlCommand(sqlStr.ToString(), myconn);
DataTable dt = new DataTable();
SqlDataAdapter da = new SqlDataAdapter(cmd);
da.Fill(dt);
Note that you are instantiating cmd twice. The code adds the parameters to the first SqlCommand instance, but executes the second instance.
To resolve, ensure you declare the parameters on the instance of SqlCommand you invoke:
public string getPosition(string nric)
{
string dbPosition = "";
int result = 0;
// remove this line: SqlCommand cmd = new SqlCommand();
StringBuilder sqlStr = new StringBuilder();
sqlStr.AppendLine("SELECT Position from Position ");
sqlStr.AppendLine("where NRIC = #paraNRIC");
// move parameter declaration until after you declare cmd
try
{
SqlConnection myconn = new SqlConnection(DBConnect);
SqlCommand cmd = new SqlCommand(sqlStr.ToString(), myconn);
// add the parameters here:
cmd.Parameters.AddWithValue("#paraNRIC", nric);
// code continues
You could change this line
sqlStr.AppendLine("where NRIC = #paraNRIC");
To This
sqlStr.AppendLine("where NRIC = '" + nric + "'");
and avoid parameters altogether.
I don't understand it. This code should work, but there must be something I've done wrong.
Can anyone see what I've done wrong?
string username = tbNewUSER.Text.Trim();
string password = tbNewPass.Text.Trim();
string role = "USER";
string str = "insert into UserValidation (USERNAME, PASSWORD, ROLE) values ('" + username + "','" + password + "','" + role + "')";
MessageBox.Show(username + " Registered", "User registration",MessageBoxButtons.OK, MessageBoxIcon.Information);
clsDB.InsUpDel(str);
And this is the follow up:
public static int InsUpDel(string str)
{
if (!(conn.State == ConnectionState.Open))
conn.Open(); //open connection if closed
int numRows = 0; //counter that checks number of rows affected in the db
try
{
SqlCommand cmd = new SqlCommand(str, conn);
numRows = cmd.ExecuteNonQuery();
cmd = null;
}
catch (SqlException ex)
{
string errorMsg = ex.Message; //more code can be put here
}
if (conn.State == ConnectionState.Open)
conn.Close();
return numRows;
}
Thank you.
Side notes:
Always use parameters for your queries and never string concatenation. For fun see Bobby Tables
Do not use static, there are not many places you need this.
Dont share database connections, create them and destroy them as needed.
Do not store passwords as plain text ever!
Do not catch exceptions you do not plan to handle. Log them and rethrow (using throw;) or do not catch at all. This last one will help you figure out why "its not working"
Updated code
public void UpdateUser() {
var userModel = new UserModel {
Username = tbNewUSER.Text.Trim(),
Password = tbNewPass.Text.Trim(),
Role = "USER"
};
var result = UpdateUser(userModel);
}
public int UpdateUser(UserModel user)
{
const string str = "insert into UserValidation (USERNAME, PASSWORD, ROLE) values (#userName, #password, #role)";
using(var conn = new SqlConnection("your connection string here, hint best to get it from the app.config"))
using(var command = new SqlCommand(str, conn))
{
command.Parameters.Add(new SqlParameter("#userName", SqlDbType.VarChar, 255) {Value = user.UserName});
command.Parameters.Add(new SqlParameter("#password", SqlDbType.VarChar, 255) {Value = user.Password});
command.Parameters.Add(new SqlParameter("#role", SqlDbType.VarChar, 255) {Value = user.Role});
conn.Open();
return cmd.ExecuteNonQuery();
}
}
UserModel.cs
public class UserModel {
public string UserName {get;set;}
public string Password {get;set;}
public string Role {get;set;}
}
I have functions that is being called within a WCF service function and I get the exception stated above at the subcategoriesGenerator function on the excute reader line
isn't it supposed for the cmd created in the second function to a completely different instance than the other one
please I'm confused and I need help ant suggestions?
public static List<Category> categoryGenerator(ref SqlConnection con)
{
Category category = null;
List<Category> list = null;
List<SubCategory> subcategoryList = null;
string categoryName = null;
string categoryLink = null;
SqlCommand cmd = new SqlCommand("sp_categoriesgenerator", con);
SqlDataReader reader = cmd.ExecuteReader(CommandBehavior.CloseConnection);
while(reader.Read())
{
categoryName = reader["CategoryName"].ToString();
categoryLink = reader["CategorySEO"].ToString() + "/";
subcategoryList = subcategoriesGenerator(ref con, Convert.ToInt32(reader["CategoryId"].ToString()));
category.categoryName = categoryName;
category.categoryLink = categoryLink;
category.subcategories = subcategoryList;
list.Add(category);
category = null;
}
reader.Close();
return list;
}//end CategoryGenerator
public static List<SubCategory> subcategoriesGenerator(ref SqlConnection con, int categoryId)
{
SubCategory subcategory = null;
List<SubCategory> list = null;
string SubCategoryName = null;
string SubCategoryLink = null;
SqlCommand cmd = new SqlCommand("sp_subcategoriesgenerator", con);
cmd.Parameters.AddWithValue("#categoryID", categoryId);
SqlDataReader reader = cmd.ExecuteReader();
while(reader.Read())
{
SubCategoryName = reader["SubcategoryName"].ToString();
SubCategoryLink = reader["CategorySEO"].ToString() + "/" + reader["SubcategorySEO"] + "/";
subcategory.subcategoryName = SubCategoryName;
subcategory.subcategoryLink = SubCategoryLink;
list.Add(subcategory);
subcategory = null;
}
reader.Close();
return list;
}// end subcategoriesGenerator
You can't open another reader in your connection while you have an open reader. You have to extract the call of the function "subcategoriesGenerator" outside of your first while-statement or create a second database-connection. I prefer this solution:
First, collect all categories
Second, loop over all categories and query the subcategories and append them to your category-object
private void Button1Click(object sender, EventArgs e)
{
var dt = new DataTable();
const string Connectionstring = "Data Source=GARETH-PC1;Initial Catalog=Genres;Integrated Security=True";
using (var con = new SqlConnection(Connectionstring))
{
con.Open();
var query = "Select Username From Login Where Username ='" + ComboBox1.SelectedText + "' Password ='" + textBox2.Text + "'";
using (var sda = new SqlDataAdapter(query, con))
{
sda.Fill(dt);
}
}
if (dt.Rows[0].ItemArray.GetValue(0).ToString() == "1")
{
Hide();
var ss = new Main();
ss.Show();
}
else
{
MessageBox.Show("Invalid Username or Password");
}
}
The if (dt.Rows[0].ItemArray.GetValue(0).ToString() == "1") - Returns an error saying there's nothing in the table... But there is ..any suggestions?
Maybe you can try like this:
dt.Rows[0]["ColumnName"].ToString()
This is working for me.
I would change your code in this way.
First, change to a parameterized query instead of a string concatenation (Sql Injection and parsing)
Second, use the count property to check if you have found a record or not
private void Button1Click(object sender, EventArgs e)
{
var dt = new DataTable();
const string Connectionstring = "Data Source=GARETH-PC1;Initial Catalog=Genres;Integrated Security=True";
var query = "Select Username From Login Where Username =#uname AND Password=#pwd";
using (var con = new SqlConnection(Connectionstring))
using (var cmd = new SqlCommand(query, con)
{
con.Open();
cmd.Parameters.AddWithValue("#uname", ComboBox1.SelectedText);
cmd.Parameters.AddWithValue("#pwd", textBox2.Text);
using (var sda = new SqlDataAdapter(cmd))
{
sda.Fill(dt);
}
}
if (dt.Rows.Count > 0)
{
Hide();
var ss = new Main();
ss.Show();
}
else
{
MessageBox.Show("Invalid Username or Password");
}
}
As a side note, it is a very bad idea to store passwords in plain text inside a database. You should consider to use an HASH and store it instead of the plain password.
I'm very new to programing and am trying to link a database to a website. I want the website to allow a user to make a username (OrgID) and password (OrgPassword) and have them apear in my database table (Organizer). This is the code I have so far, but I cannot get it to update the information in the database. Does anyone have any suggestions?
protected void RegisterUser_CreatedUser(object sender, EventArgs e)
{
if (txtUserName.Text != "" && OrgPassword.Text !="")
{
string cnnString = "Provider= Microsoft.ACE.OLEDB.12.0; Data Source =C:/Users/codym/Desktop/Fall 2011/Information Systems/Project/CampuSpaceDatabase2.accdb";
OleDbConnection cnx = new OleDbConnection(cnnString);
OleDbDataAdapter adapter = new OleDbDataAdapter();
string cmdText= "SELECT * FROM Organizer";
OleDbCommand cmd = new OleDbCommand(cmdText, cnx);
adapter.SelectCommand= cmd;
adapter.Fill(Organizer);
Session["Organizer"]= Organizer;
Organizer= ((DataTable)Session["Organizer"]);
string orgname = OrgID.Text;
string orgpass = OrgPassword.Text;
foreach (DataRow in Organizer.Rows)
{
if(row["OrgID"].ToString() == orgname & row["OrgPassword"].ToString() == orgpass)
{
errLabel.Text = "Welcome "+ row["OrgID"].ToString();
return;
}
else
{
errLabel.Text = "OrgID/Password Invalid";
return;
}
}
}
}
It looks like you are missing opening the connection:
OleDbConnection cnx = new OleDbConnection(cnnString);
cnx.Open();