Why dataset make the connectionpool reach max pool size? Being Hijacked?

Posted on 2009-02-11
Last Modified: 2013-12-17

I use, vc# and mssql2005 server to build web application. There are several databind with dataset or SqlDataReader.

I set the connection string with max pool size=300;

However, when the website goes public, I suspect someone SQL hijack as sometimes I received exception said varchar value '11 and char(124)+user+char(124)=0 to data type int.

Even ds.dispose still no use. It will make connection timeout and fill out the connection pool.

How should I fix it?

private void Bind_Item(string p_ID)


            string strSql = "select  * FROM product where category = '" + p_ID + "' order by id desc";

            DataSet ds = new DataSet();



                ds = SqlHelper.ExecuteDataset(DBConnection.ConnString, CommandType.Text, strSql);

                CollectionPager3.DataSource = ds.Tables[0].DefaultView;

                CollectionPager3.BindToControl = ItemUserControl.PublicRepeaterInUC;

                ItemUserControl.PublicRepeaterInUC.DataSource = CollectionPager3.DataSourcePaged;


                ds = null;


            catch (Exception e)



                ds = null;               

                Response.Redirect("error.html", true);






Open in new window

Question by:techques
    1 Comment
    LVL 23

    Accepted Solution

    Disposing of the dataset has no effect on the connection. You should check the SqlHelper.ExecuteDataset  method, make sure that closes and disposes of the connection it uses to retrieve the dataset.

    Also, yes you are opening yourself up to SQL injection by generating the SQL query like this.
    The ideal solution would be to create a stored procedure that accepts an @Id parameter, which then does:
    SELECT * FROM Product WHERE category = @Id

    As a side note, I'd recommend moving your "ds.Dispose();" into the finally block - it will always get called if there's an exception or not and means you don't need to duplicate the clean code in multiple places.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    IntroductionWhile developing web applications, a single page might contain many regions and each region might contain many number of controls with the capability to perform  postback. Many times you might need to perform some action on an ASP.NET po…
    More often than not, we developers are confronted with a need: a need to make some kind of magic happen via code. Whether it is for a client, for the boss, or for our own personal projects, the need must be satisfied. Most of the time, the Framework…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now