-2

I tried to save two image from two picture box to database but images not add to related columns only the first image save to all column, I need solution for this issue (Code).

try
        {
            if (isNIDValid == true & isNameValid == true & isFNameValid == true & isGFNameValid == true & isEmailValid == true & isPhoneValid == true)
            {

                byte[] img = null;
                FileStream fs = new FileStream(imageLocation, FileMode.Open, FileAccess.Read);
                BinaryReader br = new BinaryReader(fs);
                img = br.ReadBytes((int)fs.Length);


                string sql = "insert into owner(NID, owner_name, F_Name, G_Name,Email,Phone_No, Gender,NID_Photo, Owner_Photo)values('" + txtnid.Text + "', '" + txtname.Text + "', '" + txtfathername.Text + "','" + txtgrandfathername.Text + "','" + txtEmail.Text + "','" + txtPhone.Text + "', '" + Gender + "', @img,@img)";


                Connectivity.openConnection();

                da.InsertCommand = new SqlCommand(sql, Connectivity.cn);
                da.InsertCommand.Parameters.Add(new SqlParameter("@img", img));                    
                int x = da.InsertCommand.ExecuteNonQuery();
                MessageBox.Show(x.ToString() + "Record Saved");
                showData("select * from owner");


            }
            else
                lblSaveError.Text = "Please Re-enter the correct data.";
        }

        catch (Exception ex)
        {
            MessageBox.Show(ex.Message);
        }
Esko
  • 4,109
  • 2
  • 22
  • 37
Ajmal Seddiqy
  • 1
  • 3
    Hi! Welcome to stackoverflow. Your code has serious [sql-injection](https://www.owasp.org/index.php/SQL_Injection) vulnerability. Never concatenate parameters in sql-queries, always use [parameterized queries](https://stackoverflow.com/questions/542510/how-do-i-create-a-parameterized-sql-query-why-should-i). – Esko Aug 22 '19 at 07:10
  • 1
    You are using parameterized for the image already. Just do the same for the other parameters. – Thomas Weller Aug 22 '19 at 07:20
  • 1
    This is not a coding service, we are not here to code for you. I merely gave you information in case you were not aware of this vulnerability. – Esko Aug 22 '19 at 07:20

1 Answers1

0

In your query, you have 2 columns:

,NID_Photo, Owner_Photo

but you're inserting the photo with one parameter only:

, @img,@img

Use two parameters instead, like , @img, @owner.

Then, fill the owner photo the same way you did for @img:

da.InsertCommand.Parameters.Add(new SqlParameter("@owner", owner));
Thomas Weller
  • 55,411
  • 20
  • 125
  • 222