Sudden cast problem using executescalar
-
Hi ! Here is the snip of code in question:
.......
sql = "select " + picField + " from " + table + " where " + where;
conn = new SqlConnection(connectionstring);
byte[] picture = (byte[])ExecuteScalar(sql); // Shows error
Image source = Image.FromStream(new MemoryStream(picture));
Image th = source.GetThumbnailImage(w, h, null, IntPtr.Zero);
.......
public object ExecuteScalar(string strCommand)
{
object res=null;
conn.Open();
SqlCommand cmd = new SqlCommand(strCommand, conn);
try
{
res = cmd.ExecuteScalar();
}
catch(Exception e)
{ res = e.Message; }
finally
{
conn.Close();
}
return res;
}It worked like a sharm some time ago. Code was not changed. The table definition also was not changed and field declaration is as follows: [Picture_Image] [image] NOT NULL But now I get error: unable to cast object of type 'system.string' to type 'system.byte ' I suppose that something may be changed in the server and/or DB settings. But what ?? Can somebody please shed a light on this issue? Thanks in advance. Regards, Gennady
My English is permanently under construction. Be patient !!
-
Hi ! Here is the snip of code in question:
.......
sql = "select " + picField + " from " + table + " where " + where;
conn = new SqlConnection(connectionstring);
byte[] picture = (byte[])ExecuteScalar(sql); // Shows error
Image source = Image.FromStream(new MemoryStream(picture));
Image th = source.GetThumbnailImage(w, h, null, IntPtr.Zero);
.......
public object ExecuteScalar(string strCommand)
{
object res=null;
conn.Open();
SqlCommand cmd = new SqlCommand(strCommand, conn);
try
{
res = cmd.ExecuteScalar();
}
catch(Exception e)
{ res = e.Message; }
finally
{
conn.Close();
}
return res;
}It worked like a sharm some time ago. Code was not changed. The table definition also was not changed and field declaration is as follows: [Picture_Image] [image] NOT NULL But now I get error: unable to cast object of type 'system.string' to type 'system.byte ' I suppose that something may be changed in the server and/or DB settings. But what ?? Can somebody please shed a light on this issue? Thanks in advance. Regards, Gennady
My English is permanently under construction. Be patient !!
Gennady Oster wrote:
catch(Exception e){ res = e.Message; } return res;
There is an error in your query which is causing the
ExecuteScalarmethod to throw an exception. Due to the incredibly poor decision to return the exception message as a valid result from yourExecuteScalarmethod, the calling code is trying to cast thestringcontaining the error message to abyte[], which will never work. Remove thecatchclause from your method to allow the exception to propagate to the calling code. The fact that you're specifying aWHEREclause but not passing any parameters suggests that your code is susceptible to SQL Injection[^]. Update your code to use parameterized queries before you get a visit from little Bobby Tables[^].
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Gennady Oster wrote:
catch(Exception e){ res = e.Message; } return res;
There is an error in your query which is causing the
ExecuteScalarmethod to throw an exception. Due to the incredibly poor decision to return the exception message as a valid result from yourExecuteScalarmethod, the calling code is trying to cast thestringcontaining the error message to abyte[], which will never work. Remove thecatchclause from your method to allow the exception to propagate to the calling code. The fact that you're specifying aWHEREclause but not passing any parameters suggests that your code is susceptible to SQL Injection[^]. Update your code to use parameterized queries before you get a visit from little Bobby Tables[^].
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Thanks, Richard. Saying truth, I've already understand where I made a mistake. I anyway want ExecuteScalar to return db error, so I simply added the test is byte for result before casting:
Object sqlResult = ExecuteScalar(sql); if (!(sqlResult is byte)) { return sqlResult.ToString(); }This is the internal module, and WHERE clause is generated programmatically, so I don't see the ability to SQL Injection. Thanks once more. Regards, Gennady
My English is permanently under construction. Be patient !!
