• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 363
  • Last Modified:

Why dataset make the connectionpool reach max pool size? Being Hijacked?

Hi

I use asp.net, vc# and mssql2005 server to build web application. There are several databind with dataset or SqlDataReader.

I set the connection string with max pool size=300;

However, when the website goes public, I suspect someone SQL hijack as sometimes I received exception said varchar value '11 and char(124)+user+char(124)=0 to data type int.

Even ds.dispose still no use. It will make connection timeout and fill out the connection pool.

How should I fix it?


private void Bind_Item(string p_ID)
        {
            string strSql = "select  * FROM product where category = '" + p_ID + "' order by id desc";
            DataSet ds = new DataSet();
            try
            {
                ds = SqlHelper.ExecuteDataset(DBConnection.ConnString, CommandType.Text, strSql);
                CollectionPager3.DataSource = ds.Tables[0].DefaultView;
                CollectionPager3.BindToControl = ItemUserControl.PublicRepeaterInUC;
                ItemUserControl.PublicRepeaterInUC.DataSource = CollectionPager3.DataSourcePaged;
                ds.Dispose();
                ds = null;
            }
            catch (Exception e)
            {
                ds.Dispose();
                ds = null;               
                Response.Redirect("error.html", true);
            }
            finally
            {
            }            
        }

Open in new window

0
techques
Asked:
techques
1 Solution
 
adatheladCommented:
Disposing of the dataset has no effect on the connection. You should check the SqlHelper.ExecuteDataset  method, make sure that closes and disposes of the connection it uses to retrieve the dataset.

Also, yes you are opening yourself up to SQL injection by generating the SQL query like this.
The ideal solution would be to create a stored procedure that accepts an @Id parameter, which then does:
SELECT * FROM Product WHERE category = @Id

As a side note, I'd recommend moving your "ds.Dispose();" into the finally block - it will always get called if there's an exception or not and means you don't need to duplicate the clean code in multiple places.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now