C# File upload to sql database will not work

Question

I am creating a page which adds a product to my SQL table. I have seen and modified a snippet of code for my need.

    string contentType = ImageUpld.PostedFile.ContentType;
    using (Stream fs = ImageUpld.PostedFile.InputStream)
    {
        using (BinaryReader br = new BinaryReader(fs))
        {
            byte[] bytes = br.ReadBytes((Int32)fs.Length);
            SqlConnection conn = new SqlConnection(WebConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
            SqlCommand cmd = new SqlCommand("INSERT INTO Products (Name, Image, Price, Desc, Author, Preview, ContentType ) VALUES ('" + Nametxt.Text + "', '" + bytes + "', '" + Pricetxt.Text + "', '" + Desctxt.Text + "', '" + Session["UserName"] + "', '" + Previewtxt.Text + "')", conn);
            cmd.CommandType = CommandType.Text;
            using (conn)
            {
                conn.Open();
                SqlDataReader rdr = cmd.ExecuteReader();
                conn.Close();
            }
        }
    }

Visual Studio highlights the cmd.ExecuteReader(); then says:

An exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll but was not handled in user code

Additional information: Incorrect syntax near the keyword 'Desc'.

What is the value of `Desctxt.Text` at the time of the error? — Hank, Nov 17 '16 at 17:06
I smell sql injection. Change your query to a parameterized query. http://stackoverflow.com/questions/7505808/why-do-we-always-prefer-using-parameters-in-sql-statements — Oluwafemi, Nov 17 '16 at 17:07
`desc` is a SQL reserved word. Try `[desc]` (or better yet don't use reserved words as field names). — Paul Abbott, Nov 17 '16 at 17:07

score 1 · Accepted Answer · answered Feb 01 '18 at 19:05

1

desc is a keyword; place in square brackets

e.g. [desc]

answered Feb 01 '18 at 19:05

C# File upload to sql database will not work

1 Answers1