1

First image of the program

I have a program that allows the user to upload pictures on their pets. You can then upload 5 different images, and all these images are saved in a specific folder. Then the path itself is saved in the database.

First, press "combobox" and in this list you will find all the pets you have entered into the program. Then select "Load image". This image will then be saved in a folder and path in the database. But if you upload one more image, with the same pet. This image will also be saved in the same folder. What I want to do is delete the previous image and then update the database with the new path. Well, I hope you understand what I need.

 private void btn_upload_Click(object sender, EventArgs e) //Load image
    {
        if (string.IsNullOrEmpty(combo_dogname.Text) || string.IsNullOrWhiteSpace(combo_dogname.Text))
        {
            MessageBox.Show("Du måste välja en hund!");

        }
        else
        {
            OpenFileDialog opFile = new OpenFileDialog();
            opFile.Title = "Välj en bild";
            opFile.Filter = "jpg files (*.jpg)|*.jpg|All files (*.*)|*.*";

            string appPath = Path.GetDirectoryName(Application.ExecutablePath) + @"\UserImages\";
            if (Directory.Exists(appPath) == false)
            {
                Directory.CreateDirectory(appPath);
            }

            if (opFile.ShowDialog() == DialogResult.OK)
            {
                try
                {
                    string iName = opFile.SafeFileName;   // <---
                    string filepath = opFile.FileName;    // <---
                    File.Copy(filepath, appPath + iName); // <---
                    pbox_jordbruksverket.Image = new Bitmap(opFile.OpenFile());
                    path = filepath;
                    name = iName;
                    saveContent();
                }
                catch
                {
                    if (File.Exists(appPath))
                    {
                        File.Delete(appPath);
                        MessageBox.Show("Filen finns redan!");
                    }
                }
            }
            else
            {
                opFile.Dispose();
            }
        }   
    }
    //Strings
    public static string path;
    public static string name;
    //Save content after uploading image.
    public void saveContent()
    {
        con.Open();
        SqlCommand Rem = con.CreateCommand();
        Rem.CommandType = CommandType.Text;
        string sqlAdd = "INSERT INTO lexidatabase.dbo.tbl_jordbruksverket (username, dogname, img) values('" + Login.username + "', '" + combo_dogname.Text + "', '" + path + "')";
        SqlCommand cmd = new SqlCommand(sqlAdd, con);
        cmd.ExecuteNonQuery();
        MessageBox.Show("Bild sparad");
        con.Close();
    }
    //Removing all images from the selected pet.
    private void btn_removeImg_Click(object sender, EventArgs e)
    {
        if(string.IsNullOrEmpty(combo_dogname.Text) || string.IsNullOrWhiteSpace(combo_dogname.Text))
        {
            MessageBox.Show("Du måste välja hund först!");
        }
        else
        {
            con.Open();
            SqlCommand remove = con.CreateCommand();
            remove.CommandType = CommandType.Text;
            string sqlRemove = "DELETE FROM lexidatabase.dbo.tbl_jordbruksverket WHERE username = '" + Login.username + "' AND dogname = '" + combo_dogname.Text + "'";
            SqlCommand cmd = new SqlCommand(sqlRemove, con);
            cmd.ExecuteNonQuery();
            MessageBox.Show("Bild borttagen!");
            con.Close();
        }
    }
Stefan
  • 17,448
  • 11
  • 60
  • 79
  • Side note: `if (Directory.Exists(appPath) == false)` is redundant and can be dropped; `if (File.Exists(appPath))` can be dropped as well – Dmitry Bychenko Sep 04 '18 at 10:17
  • 2
    Your code has serious sql-injection vulnerability that could allow malicious users to get access to your database quite easily or even delete/alter data there. Always use [parameterized queries](https://software-security.sans.org/developer-how-to/fix-sql-injection-microsoft-.net-with-parameterized-queries)! – Esko Sep 04 '18 at 10:18
  • @DmitryBychenko How do you mean, be dropped? Are they useless or? –  Sep 04 '18 at 10:20
  • 1
    @Esko I will look into that, thank you very much. –  Sep 04 '18 at 10:20
  • 1
    @LolPrezy: you don't have to check if directory exists when creating the directory: `Directory.CreateDirectory(appPath);` either creates a directory or do nothing (if dir exists). The same with `File.Delete` if file exists it'll be deleted otherwise nothing will be done – Dmitry Bychenko Sep 04 '18 at 10:22
  • _"This image will also be saved in the same folder. What I want to do is delete the previous image"_ - so get the image's path from the database for the selected dog and delete it..? – stuartd Sep 04 '18 at 10:36
  • Please don't forget to edit your commands. Easy use for sql injection! use parameters instead – Oswald Sep 04 '18 at 11:37
  • @Esko https://gyazo.com/28efbdd21cf889295e499e327c452da0 Is it better now?? –  Sep 04 '18 at 12:15
  • @Oswald https://gyazo.com/28efbdd21cf889295e499e327c452da0 Is it better now? –  Sep 04 '18 at 12:15
  • @LolPrezy: yes it is. Don't forget to do it at the delete command too. – Oswald Sep 04 '18 at 12:16
  • @LolPrezy Yes! Glad to see someone who takes this seriously and is willing to learn new things and make the world a little better place :) – Esko Sep 04 '18 at 12:19
  • @Oswald I've already. It's only like 30 more to go xd You guys have any idea why a parameter is helping against SQL injection? –  Sep 04 '18 at 12:22
  • @LolPrezy Simple answer: The values will be encoded. Full Answer: https://stackoverflow.com/questions/14376473/what-are-good-ways-to-prevent-sql-injection – Oswald Sep 04 '18 at 12:23

0 Answers0