How do I retrieve multiple images and display them inside a panel control from an SQL database?

Question

0.00/5 (No votes)

See more:

So, during my time coding, I have been trying to display my pictures that are inside an sql database to a panel control. How I am trying to set it up is for images that have imageID = 1 will be placed into the panel control. I would like to get it where it matched up with other tables so if I click on a person and their ID = whatever number any images associated with that number will come up in the panel control.

Here is my code:

  sqlcon.Open()
            Dim cmd As SqlClient.SqlCommand
            Dim sql As String = "SELECT Images FROM [Table] WHERE ImageID= '" + DataGridView1.Rows(I).Cells(2).Value.ToString + "'"
            cmd = New SqlClient.SqlCommand(sql, sqlcon)

            Dim img() As Byte = DataGridView1.Rows(0).Cells(1).Value

                Dim ms1 As New System.IO.MemoryStream(img)
                Dim pic As New PictureBox()
                pic.Image = Image.FromStream(ms1)
                pic.SizeMode = PictureBoxSizeMode.StretchImage

                pic.SetBounds(wid, 20, 200, 100)
                ' pic.Location = New Point(10, pic.Height)
                AddHandler pic.Click, AddressOf convertPic
                Me.Panel1.Controls.Add(pic)
                wid += 205

                cmd.ExecuteNonQuery()
                sqlcon.Close()
Next

the problem I am having is its only displaying 1 image, and it stays just that first image.

What I have tried:

I have tried to change the numbers in the ImageID column, but that still ended up with the same result. I think the way I have set up my code the memory stream is reading only one image, but I do not know how to make it read more than one image.

Posted 29-Jun-17 18:49pm

Member 11856456

Updated 29-Jun-17 19:25pm

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2017-06-29T19:25:00

You don't read any data from your DB at all!
Or rather, you do - badly - but you then ignore or discard it.

For starters, don't use ExecuteNonQuery with a SELECT command - a SELECT is by definition a Query! You need an ExecuteScalar or more likely ExecuteReader, or to use a DataAdapter instead.
Second, never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
Third, you ignore any data you might have read and always create your image from the same row and cell of your DataGridView.

I think you need to walk away, have a chat or a cup of coffee with someone, then come back and look again at that whole code, because there isn't a lot there that looks like you want to keep it.

Quote:
I fixed the code where I can get images and place them in SQL into a single table like you told me too. I even made an ImageID and regular ID column. I am just trying to figure this last part out and that will get this one portion of my program completed. Anyways, I have never used a executerscalar or executereader so far. When you mean concentate you mean the "'"?

Concatenation is the process of "adding strings together" - and in SQL terms, it's extremely dangerous.
When you do something like this:

VB

Dim sql As String = "SELECT Images FROM [Table] WHERE ImageID= '" + DataGridView1.Rows(I).Cells(2).Value.ToString + "'"

You are concatenating three strings: the beginning with the SELECT, the content of a cell, and a trailing quote. That works, but only if the content is exactly what you think it is, and that';s dangerous. If the cell is modified to contain

1';DROP TABLE Images;--

for example, then SQL gets the command:

SQL

SELECT Images FROM [Table] WHERE ImageID= '1';DROP TABLE Images;--'

Which is completely valid SQL: it's three commands. The first selects your data, the second deletes your table, and the third comments out anything after that.
That's called SQL Injection and it's not a joke: xkcd: Exploits of a Mom[^] - people do try this. The 2011 UK census was the first you could complete online, and within half an hour of it going live people were complaining because SQL Injection didn't work!
It can be used to alter, delete, or read your DB; or to bypass password checking, or anything else the user wants to do that you would probably much rather he didn't...
Never, ever, concatenate SQL commands - always use parameterised queries.