Click here to Skip to main content
15,897,704 members
Search within:


can not update table . error is : Implicit conversion from data type varchar to varbinary(max) is not allowed. Use the CONVERT function to run this query.
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
I am trying to update table . the error is :Implicit conversion from data type varchar to varbinary(max) is not allowed. Use the CONVERT function to run this query.

C#
//convert image to byte
            MemoryStream ms = new MemoryStream();
            picperson.Image.Save(ms, picperson.Image.RawFormat);
            byte [] arrImage = ms.GetBuffer();
            ms.Close();


SQL
objconnection.Open();
                objcommand.CommandText =
                    "UPDATE profile SET  picture='"+arrImage+
                    "' WHERE id=" + txtid.Text;


in insert sql command i have not this error but when I use update command taken this error?
I want change image in database table where picture field type is varbinary.I picture field type is not image type. arrImage convert to byte then save to picture field with varbinary type.
I say where I have not problem with Insert sql command but update error.
Posted
Updated 29-Mar-13 9:01am
v2
Add a Solution

2 solutions

That won't work. Not as an INSERT, or as an UPDATE.
You might think it does, but...have a look at this: Why do I get a "Parameter is not valid." exception when I read an image from my database?[^] - it explains the basics of what is happening.

Now think: What does ToString return for a byte array?
Answer: "System.Byte[]"
And when you concatenate strings to form an SQL command, you end up with:
SQL
UPDATE profile SET  picture='System.Byte[]' WHERE id=888

So, instead, use parametrized queries:
C#
objcommand.CommandText = "UPDATE profile SET picture=@IM WHERE id=@ID";
objcommand.Parameters.AddWithValue("@ID", txtid.Text);
objcommand.Parameters.AddWithValue("@IM", arrImage);
This also has the advantage that your users can't damage or destroy your database by typing in the textbox and causing an SQL injection attack!
 
Share this answer
 
Posted
Comments
zxo004 29-Mar-13 15:26pm    
thanks. this works.
OriginalGriff 29-Mar-13 16:10pm    
You're welcome!
But do remember that you should use parametrized queries by default - SQL Injection is no joke! :)
Kenneth Haugland 29-Mar-13 16:21pm    
Just out of sheer curiosity how does one actually do that. I assume that one has to sniff at the connections being sendt and than send a try and error to the SQL server? It seems to be a rather heavy job?

I always use parameterized queries my self, as I have from the start (originally out of practical views) thought they were easyer to program, meaning easier to handle.
OriginalGriff 29-Mar-13 17:00pm    
Unfortunately, it's far, far too simple.
s = "SELECT * FROM customers WHERE id ='" + tb.Text + "'";
With the text box containing
1';DROP TABLE customers;--
Will do it.
Kenneth Haugland 29-Mar-13 17:16pm    
Thats nasty.
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise
Privacy
Cookies
Terms of Use
Last Updated 29 Mar 2013
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web02 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900