I have created a small WinForms Application (.Net 4.8, SQL Server 18). Now I want to update a picture in my database. For that I have created this method:
public void UpdateBild(string picturepath, int id){ string bildupdate = string.Format("UPDATE {0} set bild = (SELECT BulkColumn FROM OPENROWSET(BULK N'@pic', SINGLE_BLOB) AS x) where persid = @id", Klassen.Data.Gettabellenname()); try { SqlVerb(); com.CommandText = bildupdate; com.Parameters.AddWithValue("@pic", picturepath); com.Parameters.AddWithValue("@id", id); com.ExecuteNonQuery(); } catch (SqlException sqex) { } catch (Exception ex) { } finally { DBVerbindung.DBVerb.scon.Close(); }}The picturepath will be set like that from a textbox:
picturepath = tbDateiPfad.Text;and it will be passed to the method like:
DBVerbindung.SQLStatements upbild = new DBVerbindung.SQLStatements();upbild.UpdateBild(picturepath, id);If the method gets executed, I get the error ‘Picture not found’.
I think there is a problem with the file path because, if I execute the UPDATE statement directly in database with the filepath (copy from dircetory search) it is working fine.
So can you please help me, how I can pass the filepath from textbox in correct form to the paramter for the SQL query.
Advertisement
Answer
The filename must be specified as a string literal instead of parameter for OPENROWSET so you’ll need to specify that value in the SQL statement string:
string bildupdate = string.Format("UPDATE {0} set bild = (SELECT BulkColumn FROM OPENROWSET(BULK N'{1}', SINGLE_BLOB) AS x) WHERE persid = @id;", Klassen.Data.Gettabellenname(), picturepath);try{ SqlVerb(); com.CommandText = bildupdate; com.Parameters.Add("@id", SqlDbType.Int).Value = id; com.ExecuteNonQuery();…Note the table name and file name values must be obtained from trusted sources and validated since the values are not parameterized. Also, avoid AddWithValue.