0

I insert picture paths into database and when I get the path I display them with img tag.

I can do it but I couldn't find the methods that I have to write after sql query.

What I have to write after sql query?

In Page_Load my select command works.

 c = new Common(ConfigurationManager.ConnectionStrings["ahapp"]);
    string sql = "select Query";
    string str = "";
    DataTable dt = c.GetDataTable(sql);
    foreach (DataRow item in dt.Rows)
    {
        str += "<img src='" + item["path"].ToString() + "' style='width:100px' />";
    }

    dokList.InnerHtml = str;

This code always says: enter image description here

 sql ="INSERT INTO DR_OZLUK VALUES(3," + ddlDoktor.SelectedValue + "," + belgeid + ",3," + str + ",1)";
    SqlCommand cmd = new SqlCommand(sql, c);
    cmd.ExecuteNonQuery();
Improve this question

6 Answers 6

Reset to default
2

The insert statement is vulnerable with sql injection but the problem has nothing to do with the sql statement. The problem is you are passing Common class instead of Connection object in SqlCommand Objection.

Try this code snippet:

string connStr = "connection string here";
string sqlStatement = "INSERT INTO DR_OZLUK VALUES (3, @val1, @val2, 3, @val3, 1)";
using (SqlConnection conn = new SqlConnection(connStr))
{
    using(SqlCommand comm = new SqlCommand())
    {
        comm.Connection = conn;
        comm.CommandText = sqlStatement;
        comm.CommandType = CommandType.Text;

        comm.Parameters.AddWithValue("@val1", ddlDoktor.SelectedValue);
        comm.Parameters.AddWithValue("@val2", belgeid);
        comm.Parameters.AddWithValue("@val3", str);

        try
        {
            conn.Open();
            comm.ExecuteNonQuery();
        }
        catch(SqlException e)
        {
            // do something with the exception
            // do not hide it
            // e.Message.ToString()
        }
    }
}

For proper coding

  • use using statement for propr object disposal
  • use try-catch block to properly handle objects
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Your c object seems to be something else other than SqlConnection type. What is that Common class? The SqlCommand takes two parameters. The first one is string which is either an sql statement or the name of a stored procedure, and the other argument is an object of type SqlConnection.

Improve this answer

Comments

0

I think c should be connection object 

c = new Common

you are passing c inplace of connection object.

Signature of the SQLCommand to create object is 

public SqlCommand(
    string cmdText,
    SqlConnection connection
)

so according to it your second argument must be connection object. That is the reason its giving you an error. you are passing Common class object to create command object. visi MSDN link to get more : http://msdn.microsoft.com/en-us/library/877h0y3a.aspx

Improve this answer

Comments

0 
    Or try this, this sample code is very secure and 100% works any time, you can copy paste it but u must put your connection string and table 

    string connectionStr = "connection string STRING";
    string sqlQuery = "INSERT INTO yourtable VALUES (ID, @pam1, @pam2)";
    ///// Go to Base and execute Query but with trycatch because if you have problem with using connection it will tell you

    try{

    using (SqlConnection conn = new SqlConnection(connStr))
    {
        using(SqlCommand komand = new SqlCommand(conn,sqlQuery)) //command to use connection and Sqlquery

    string fromcontrol = "test"; //this is string just for test

            komand.Parameters.AddWithValue("@pam1", fromcontrol.ToString());
            komand.Parameters.AddWithValue("@val2", fromcontrol.ToString());

                conn.Open();
                komand.ExecuteNonQuery();
            }
            catch(SqlException e)
            {
    //throw your execption to javascript  or response; e.Message.ToString() + "SQL connection or query error"; 
            }

    catch(Exception ex)
    {
    //throw your execption to javascript  or response; e.Message.ToString()+ "system error"; 
    }

finally
{
conn.Close();
conn.Dispose();
}

        }
    }
Improve this answer

Comments

0

Thank you everyone. I found the solution. I add this code c.GetExecuteNonQuery(sql); and made c global.

Improve this answer

Comments

0

Either your c is not a SqlConnection or your IDE has another error that is confusing with the error you have pasted. Sometimes VS2010 gets broken when showing errors.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.