insert filename of uploaded file into database (C#)

Hello All;

I can upload a file, but am having a problem with inserting the filename into the database.
There does not really seem to be an aweful lot of information available online for .NET that I thought there would be, I am sure that there are sites with an abundance of information, I have just not found it yet.

(Classic ASP was a lot easier to learn)

OK
I need to get the uploaded filename to insert into the database.
Below is the code that I am using to insert into the database.

Also, I use parameters for all my database work, so could someone please assist in how to write the parameters coding for this as well?

Thank You
Carrzkiss
string filename = Path.GetFileName(FileUploadControl.FileName); 
                    FileUploadControl.SaveAs(Server.MapPath("Uploaded/") + filename); 
					
					
					////////////////////////////////////////////////////////////////////////////////////////
	OleDbConnection objConnection = null;
    OleDbCommand objCmd = null; 
    String strConnection, strSQL;

    strConnection = "Provider=Microsoft.Jet.OleDb.4.0;";
    strConnection += @"Data Source="+MapPath("Database1.mdb");
     
    objConnection = new OleDbConnection(strConnection);
    objConnection.ConnectionString = strConnection;

    objConnection.Open();

    strSQL = "INSERT INTO MegaPics (PicsPath)VALUES(@filename)";

    objCmd = new OleDbCommand(strSQL, objConnection);
    
    objCmd.ExecuteNonQuery();

Open in new window

LVL 31
Wayne BarronAuthor, Web DeveloperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AsishRajCommented:
Try this

objCmd = new OleDbCommand(strSQL, objConnection);
objCmd .Parameters.Add("@filename", OleDbType.Char, Size, filename );

0
Wayne BarronAuthor, Web DeveloperAuthor Commented:
Hello "AsishRaj"

I am getting the following error
CS0118: 'System.Drawing.Size' is a 'type' but is used like a 'variable'

On this line
objCmd .Parameters.Add("@filename", OleDbType.Char, Size, filename );
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Wayne BarronAuthor, Web DeveloperAuthor Commented:
:)
Sorry, Size = 255
My mistake.

0
AsishRajCommented:
objCmd  .Parameters.Add("@filename", OleDbType.varchar(Should be same as the type defined in the db field), Size of the Field defined in DB, filename );
                             
0
Wayne BarronAuthor, Web DeveloperAuthor Commented:
I am still getting this error

The following error occured: Parameter @filename has no default value.

How can I get the Value that gets assigned to filename ?

It is a
string filename  = Path.GetFileName(FileUploadControl.FileName);
So, how would I go about taking the Value given to this string, and using it in the Insert Statement?
0
Greg WrightSr. Database AdministratorCommented:
Here is what you will want to do.

            OleDbConnection objConnnection = null;
            OleDbCommand objCmd = null;
            string strConnection, strSQL;

            strConnection = "Provider=Microsoft.Jet.OleDb.4.0;";
            strConnection += "Data Source=" + MapPath("Database1.mdb");

            objConnnection = new OleDbConnection(strConnection);
            objConnnection.ConnectionString = strConnection;

            objConnnection.Open();

            strSQL = "INSERT INTO MegaPics (PicsPath) Values (@filename)";

            objCmd = new OleDbCommand(strSQL, objConnnection);

            OleDbParameter param = objCmd.CreateParameter();
            param.DbType = DbType.String;
            param.Size = 255;
            param.ParameterName = "@filename";
            param.Value = filename;

            objCmd.Parameters.Add(param);
            objCmd.ExecuteNonQuery;
0
Wayne BarronAuthor, Web DeveloperAuthor Commented:
Thanks for your reply "snapjaq"

I tested the code and am recieving the following error.

CS0103: The name 'DbType' does not exist in the current context

On this line
param.DbType = DbType.String;


ASP.NET is kicking my butt...
But I will eventually grasp ahold of it shortly, just need a little hand holding on the start of my way.
0
AsishRajCommented:
carrzkiss

Its not had at all, just have a look at this tutorial, it has both  VB & C# sample.

http://msdn.microsoft.com/en-us/library/aa325902%28VS.71%29.aspx

the above tutorial shows the correct way of doing it using adapters.
0
Wayne BarronAuthor, Web DeveloperAuthor Commented:
I read through that page, and it still does not fix this issue.

Let me try to explain this a little better here, to where MAYBE someone will catch on to what I have going on over here.

----------
I am uploading images to the server, I need to have the ImageName written to the database.
I need to grab:

string filename = Path.GetFileName(FileUploadControl.FileName);  
                    FileUploadControl.SaveAs(Server.MapPath("Uploaded/") + filename

And insert it into my INSERT statement.


    strSQL = "INSERT INTO MegaPics(PicsPath)VALUES(?)";
    objCmd = new OleDbCommand(strSQL, objConnection);
    objCmd.Parameters.Add("@PicsPath", OleDbType.VarChar, 255, "filename");
    objCmd.ExecuteNonQuery();

Right now it is not doing this:

Upload status: The file could not be uploaded. The following error occured: Parameter ?_1 has no default value.

So, what I need is to get the "filename" from the string and have it added to the Parameterized query to have it inserted into my table.

Any idea's anyone?

Thank You
Carrzkiss
0
AsishRajCommented:
objCmd.Parameters.Add("@PicsPath", OleDbType.VarChar, 255,  "filename");

Should Be
 objCmd.Parameters.Add("@PicsPath", OleDbType.VarChar, 255, filename);

give me a few minutes, i will give u a complete working example.
0
Wayne BarronAuthor, Web DeveloperAuthor Commented:
yep, I missed that.

OK, will await your code example.
0
AsishRajCommented:
   OleDbConnection objConnection = null;
    OleDbCommand objCmd = null;
    String strConnection, strSQL;

    strConnection = "Provider=Microsoft.Jet.OleDb.4.0;";
    strConnection += @"Data Source="+MapPath("Database1.mdb");
     
    objConnection = new OleDbConnection(strConnection);
    objConnection.ConnectionString = strConnection;

objConnection.Open();

 strSQL = "INSERT INTO MegaPics (PicsPath)VALUES('" & filename & "')";

objCmd = new OleDbCommand(strSQL, objConnection);
objCmd.ExecuteNonQuery();

objConnection.Close();

0
AsishRajCommented:
Also i was looking at snapjag example, that is correct as well.

Are you sure you are passing correct values in Filename. PLease keep in mind about the opening and closing comas(" "). if they are used in the variable, it will give you an error.

I would suggest, before doing an insert, try putting the output on the screen first, to see if the variable holds the correct data.
0
Wayne BarronAuthor, Web DeveloperAuthor Commented:
The output is going to the screen, but will not work in the insert, that is what has me confused.
In Classic ASP, I could debug through this and find the problem, so I have tried taking my knowledge from that and applying to this and am coming up short somewhere.

But, I can state that it is outputting to the screen, just not to the insert statement.

--------
Also, I am using Parameters, so I prefer to stay away from sending text straight into my database as you have provided in your example, though I did try it for testing purposes ONLY!, and it gave an error about having the & symbol in the mix, so.

I will tackle this again in the morning, right now I am going to call it a night.
If either of you can think of anything else, please provide and I will check it out in the morning.

Have a good one guys.

Carrzkiss
0
Wayne BarronAuthor, Web DeveloperAuthor Commented:
OK. Got it to work.

This
objCmd.Parameters.Add("@PicsPath", OleDbType.VarChar, 255, filename);

Had to be changed to this
objCmd.Parameters.Add("@PicsPath", filename);

For some reason it would not save the filename with the
OleDbType.VarChar, 255,
But, with it removed, it saves the filename.

What made me think of removing the information and testing it was looking at someone elses code for a component set and seeing how they were using it, and this is how they had it, they had no data field information just the fieldname and variable going into the field.

But, This is the question.
#1: Is this a good safe and reliable way of doing this? Is there any vunerabilities in doing it this way?

#2: Will this open up the field to allow anything to be inserted into it, not just what is set in the database properties for the given Fieldtype? Is there any security threats that could be thrown on this field?

Thanks to all that have tried to assist in this issue.
Carrzkiss
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Greg WrightSr. Database AdministratorCommented:
Glad you found the solution and that the conversation could help you out. In response to my question above, so it's in writing. The DbType couldn't be found because you may not have had the "using System.Data;" directive at the top of the page. I have mine up there for all data activity, and Param.DbType wanted to use that Enumeration.

Once you get through figuring out some things, you'll get the hang of it.

#1 - Yes it's safe to do it. Because params are an isolated, object assertion. Not an open inline statement being built and executed. So, using params is safer than building a string. You can engage in many text verification methods. Don't worry about over-doing the data validation checks either.
#2 - Same as above, the meta data will account for the correct information. Of course, anything that is string can go into it, so you may want to do data validation (which should never be avoided), but there isn't this major security threat that you have to worry about. Keep to the standards of correct data elements on the UI, capture off the UI, validate the data, assign it to the params, submit, and error trap. Most importantly, test, test, test. Even with weird stuff.
0
Wayne BarronAuthor, Web DeveloperAuthor Commented:
using System.Data;
Yes, it is at the top of the page, has been since I stated the project.

On your answered, you sound like myself when I teach other on EE when dealing with ASP Classic and SQL & XSS Injections.
I designed a Function that I am going to see if it will work in .NET, the way things look it might, I think anyway.

Params, I have been using for about 5 months now, so your explaination is something that I already am aware of, and it what I have been taught and have been teaching since I started.

------------
The only thing that is left is getting a Multiple Upload code to work with what I have and I will be happy.

Have a good one and I will award you both points for your time and effort in this issue.
I am going to accept mine as solution with the points going to you both.

Carrzkiss
0
AsishRajCommented:
Glad you figured out.

I would recommend now one to using straight text for operation with database, but just gave to see the what the output might be.

using parameter is the safest way to do it, but when you dont validate the length, it might give a run-time error if the variable happens to hold more than length required.

As far as security goes, try to define your database connection string in webconfig file for added security reasons.

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.