By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
460,028 Members | 1,108 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 460,028 IT Pros & Developers. It's quick & easy.

dynamically added sqlcommand string fails while static string works properly

P: 1
Hi Everyone,

I have a problem that is quite frusturating.

I am passing in an image from a database, which is to be accessed in an image button. When I dynamically add the string for an sql command, the image is not found, and a red X appears in place of the image. However, when I use a static string, everything works and the image is there.

I have tested my code, and special characters is not the problem.

I posted my code below.



Expand|Select|Wrap|Line Numbers
  1. public void ProcessRequest(HttpContext context) 
  2. {
  3. string image_name = context.Request.QueryString["image_name"]; 
  5. string connString = @"Data Source=WOLVERINE;user id=sa;password=Osprey22;database=FileUpload";SqlConnection connection = new SqlConnection(connString); 
  7. connection.Open();
  9. StringBuilder sb = new StringBuilder();sb.AppendFormat("SELECT image_data FROM Available_Pics where image_name = '{0}'", image_name); 
  11. // SqlCommand command = new SqlCommand(sb.ToString(), connection);
  12. // The above SqlCommand fails even though sb.ToString() has an identical string to the one shown below that is
  13. // passed into the function.
  14. // Why would a string created dynamically not work, yet a static string like the one below work successfully ?
  16. SqlCommand command = new SqlCommand("SELECT image_data FROM Available_Pics where image_name = 'test'", connection);SqlDataReader dr = command.ExecuteReader(); 
  17. dr.Read();
  19. context.Response.BinaryWrite((Byte[])dr[0]);
  20. context.Response.ContentType = "image/png"; 
  21. connection.Close();
  22. context.Response.End();
  24. }
Jun 16 '09 #1
Share this Question
Share on Google+
2 Replies

Expert 2.5K+
P: 3,525
Somewhere there is a difference between the two that you just aren't/can't see. Maybe a null on the end for example. Check them both via breakpoints. Heck, use both at the same time and do a comparrison of the two variables to see if they are the same and so you can see them side by side.

Expand|Select|Wrap|Line Numbers
  1. if (string1 == string2) console.writeline("same");
Have you tried it NOT using a stringbuilder, but just a string?
Expand|Select|Wrap|Line Numbers
  1. string sb = string.format("SELECT image_data FROM Available_Pics where image_name = '{0}'", image_name); 
  2. SqlCommand command = new SqlCommand(sb, connection);
You may also want to either trim or add a null at the end as needed by your query (I don't know which is right for query strings)

Expand|Select|Wrap|Line Numbers
  1. string sb = string.format("SELECT image_data FROM Available_Pics where image_name = '{0}'", image_name).trimend('\0');
Jun 16 '09 #2

Expert Mod 5K+
P: 9,731
When you build an SQL statement directly from user input as you are doing you leave your self open to a SQL Injection Attack.

Instead of doing what you're doing to create the SQL statement, consider using Parameters instead.

I believe this will fix your problem and it will protect you against a SQL Injection Attack.

See this article on how to use a database in your program for an example of how to use parameters.

Jun 16 '09 #3

Post your reply

Sign in to post your reply or Sign up for a free account.