I'm getting the classic message "The timeout period elapsed prior to obtaining a connection from the pool" etc when connecting to my SQL Server 2005 Express from a .Net application.
Then I try connecting, simultaneously, from a simple ASP.net thing I wrote just for testing and this works fine. So, then the connection pool can't be full, can it? Or, does each application have its own pool??The application has its own pool. I have run into this before. Check through the .net application to make sure you closed all the connections.|||Check through the .net application to make sure you closed all the connections.I thought .Net did all this for you?|||From what I've understood, the Garbage Collector closes connections, but it might take some while before it does it. And I'm not sure that it can take care of all the relevant connections.
About my problem; it seems to work now after having changed the application to log in as an other user. Could it have been caused by some other error in the user/login setup?|||I imagine the Garbage Collector will close connections after the application exits, but when does a web application exit? The connections are sitting in the pool, and the close connection is what releases the connection back to the pool to be used again. Another annoying thing to note is that a connection is only reusable by other connection objects only if they share the same connection string. I think under ADO differences in the order of attributes made for two separate connection pools, but I am not sure, now.|||I noticed now that as soon as I re-save the config file read by IIS for this application, the application removes all the sleeping connections and it works fine, until a 100 connections limit is reached again. (Increasing the 100 threshold would just postpone the problem.)
Killing all the processes from within SQL Server doesn't help.|||what I learned from my brief stint as a java programmer was to never trust the garbage collectors and to always DIY. people poke fun at me for explicitly dropping temp tables in SQL but it all comes from this experience.
I wonder if this has some connection to a limitation with SQLExpress. I do not know for certain.
Showing posts with label prior. Show all posts
Showing posts with label prior. Show all posts
Wednesday, March 21, 2012
Tuesday, March 20, 2012
other characters (codes) that represent single quote
Hi,
I am trying to replace every single quote with two "single quotes", prior to
sending the dynamic sql string to sql server.
( from a C# application)
(in this case I have to send a dynamic string, cannot do parametarized
queries)
Question is....
Is there any other character that sql server will interpret as a "single
quote"?
Any help is deeply appreciated.
Thanks
NalakaHi Nalaka,
Thank you for your post.
Based on my scope, I don't think SQL Server will interpret other character
as single quote.
Here I would like provide some information about passing dynamic string to
SQL Server:
When possible, reject input that contains the following characters.
Input character Meaning in Transact-SQL
; Query delimiter
' Character data string delimiter
-- Comment delimiter
/* ... */ Comment delimiters. Text between /* and
*/ is not evaluated by the server.
Xp_ Begins the name of catalog extended stored
procedures such as xp_cmdshell.
You may need to refer the following article:
SQL Injection
http://msdn2.microsoft.com/en-us/library/ms161953.aspx
Hope this will be helpful!
Sincerely,
Wei Lu
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================This posting is provided "AS IS" with no warranties, and confers no rights.|||Thanks Wei,
This is what I don't understand... theoretically if I replace every single
quote with two single quotes.. all is well.
But there is a ton of articles suggesting all these other precautions.....
Nalaka
"Wei Lu" <weilu@.online.microsoft.com> wrote in message
news:1Kfz6%23FhGHA.5608@.TK2MSFTNGXA01.phx.gbl...
> Hi Nalaka,
> Thank you for your post.
> Based on my scope, I don't think SQL Server will interpret other character
> as single quote.
> Here I would like provide some information about passing dynamic string to
> SQL Server:
> When possible, reject input that contains the following characters.
> Input character Meaning in Transact-SQL
> ; Query delimiter
> ' Character data string delimiter
> -- Comment delimiter
> /* ... */ Comment delimiters. Text between /* and
> */ is not evaluated by the server.
> Xp_ Begins the name of catalog extended
> stored
> procedures such as xp_cmdshell.
> You may need to refer the following article:
> SQL Injection
> http://msdn2.microsoft.com/en-us/library/ms161953.aspx
> Hope this will be helpful!
> Sincerely,
> Wei Lu
> Microsoft Online Community Support
> ==================================================> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>|||"Nalaka" <nalaka12@.nospam.nospam> wrote in message
news:%23CKpYJOhGHA.2188@.TK2MSFTNGP04.phx.gbl...
> Thanks Wei,
> This is what I don't understand... theoretically if I replace every single
> quote with two single quotes.. all is well.
> But there is a ton of articles suggesting all these other
precautions.....
>
Most likely their concern for SQL injection attacks.
Basically any place you accept input, if you're not careful, a bad user
could do something like:
Enter First Name: dummy; select * from sysobjects
And if your select query isn't written well, it now becomes something like:
Select id from table where fname=dummy; select * from sysobjects and now
your sysobjects table has been returned to the hacker.
> Nalaka
>
> "Wei Lu" <weilu@.online.microsoft.com> wrote in message
> news:1Kfz6%23FhGHA.5608@.TK2MSFTNGXA01.phx.gbl...
> > Hi Nalaka,
> >
> > Thank you for your post.
> >
> > Based on my scope, I don't think SQL Server will interpret other
character
> > as single quote.
> >
> > Here I would like provide some information about passing dynamic string
to
> > SQL Server:
> >
> > When possible, reject input that contains the following characters.
> >
> > Input character Meaning in Transact-SQL
> > ; Query delimiter
> >
> > ' Character data string delimiter
> >
> > -- Comment delimiter
> >
> > /* ... */ Comment delimiters. Text between /*
and
> > */ is not evaluated by the server.
> >
> > Xp_ Begins the name of catalog extended
> > stored
> > procedures such as xp_cmdshell.
> >
> > You may need to refer the following article:
> >
> > SQL Injection
> > http://msdn2.microsoft.com/en-us/library/ms161953.aspx
> >
> > Hope this will be helpful!
> >
> > Sincerely,
> >
> > Wei Lu
> > Microsoft Online Community Support
> >
> > ==================================================> >
> > When responding to posts, please "Reply to Group" via your newsreader so
> > that others may learn and benefit from your issue.
> >
> > ==================================================> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> >
>|||Hi Nalaka,
Thank you for the update.
As Greg mentioned, there is some secury issue you should considered in you
application code.
SQL injection should be avoid.
You could refer the article I posted in the previous post.
SQL Injection
http://msdn2.microsoft.com/en-us/library/ms161953.aspx
Sincerely,
Wei Lu
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================This posting is provided "AS IS" with no warranties, and confers no rights.|||Thanks...
"Wei Lu" <weilu@.online.microsoft.com> wrote in message
news:ugdnCtVhGHA.5608@.TK2MSFTNGXA01.phx.gbl...
> Hi Nalaka,
> Thank you for the update.
> As Greg mentioned, there is some secury issue you should considered in you
> application code.
> SQL injection should be avoid.
> You could refer the article I posted in the previous post.
> SQL Injection
> http://msdn2.microsoft.com/en-us/library/ms161953.aspx
> Sincerely,
> Wei Lu
> Microsoft Online Community Support
> ==================================================> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>|||Hi Nalaka,
Glad to hear the information is helpful.
If you have any questions or concerns, please feel free to let me know.
Sincerely,
Wei Lu
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================This posting is provided "AS IS" with no warranties, and confers no rights.
I am trying to replace every single quote with two "single quotes", prior to
sending the dynamic sql string to sql server.
( from a C# application)
(in this case I have to send a dynamic string, cannot do parametarized
queries)
Question is....
Is there any other character that sql server will interpret as a "single
quote"?
Any help is deeply appreciated.
Thanks
NalakaHi Nalaka,
Thank you for your post.
Based on my scope, I don't think SQL Server will interpret other character
as single quote.
Here I would like provide some information about passing dynamic string to
SQL Server:
When possible, reject input that contains the following characters.
Input character Meaning in Transact-SQL
; Query delimiter
' Character data string delimiter
-- Comment delimiter
/* ... */ Comment delimiters. Text between /* and
*/ is not evaluated by the server.
Xp_ Begins the name of catalog extended stored
procedures such as xp_cmdshell.
You may need to refer the following article:
SQL Injection
http://msdn2.microsoft.com/en-us/library/ms161953.aspx
Hope this will be helpful!
Sincerely,
Wei Lu
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================This posting is provided "AS IS" with no warranties, and confers no rights.|||Thanks Wei,
This is what I don't understand... theoretically if I replace every single
quote with two single quotes.. all is well.
But there is a ton of articles suggesting all these other precautions.....
Nalaka
"Wei Lu" <weilu@.online.microsoft.com> wrote in message
news:1Kfz6%23FhGHA.5608@.TK2MSFTNGXA01.phx.gbl...
> Hi Nalaka,
> Thank you for your post.
> Based on my scope, I don't think SQL Server will interpret other character
> as single quote.
> Here I would like provide some information about passing dynamic string to
> SQL Server:
> When possible, reject input that contains the following characters.
> Input character Meaning in Transact-SQL
> ; Query delimiter
> ' Character data string delimiter
> -- Comment delimiter
> /* ... */ Comment delimiters. Text between /* and
> */ is not evaluated by the server.
> Xp_ Begins the name of catalog extended
> stored
> procedures such as xp_cmdshell.
> You may need to refer the following article:
> SQL Injection
> http://msdn2.microsoft.com/en-us/library/ms161953.aspx
> Hope this will be helpful!
> Sincerely,
> Wei Lu
> Microsoft Online Community Support
> ==================================================> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>|||"Nalaka" <nalaka12@.nospam.nospam> wrote in message
news:%23CKpYJOhGHA.2188@.TK2MSFTNGP04.phx.gbl...
> Thanks Wei,
> This is what I don't understand... theoretically if I replace every single
> quote with two single quotes.. all is well.
> But there is a ton of articles suggesting all these other
precautions.....
>
Most likely their concern for SQL injection attacks.
Basically any place you accept input, if you're not careful, a bad user
could do something like:
Enter First Name: dummy; select * from sysobjects
And if your select query isn't written well, it now becomes something like:
Select id from table where fname=dummy; select * from sysobjects and now
your sysobjects table has been returned to the hacker.
> Nalaka
>
> "Wei Lu" <weilu@.online.microsoft.com> wrote in message
> news:1Kfz6%23FhGHA.5608@.TK2MSFTNGXA01.phx.gbl...
> > Hi Nalaka,
> >
> > Thank you for your post.
> >
> > Based on my scope, I don't think SQL Server will interpret other
character
> > as single quote.
> >
> > Here I would like provide some information about passing dynamic string
to
> > SQL Server:
> >
> > When possible, reject input that contains the following characters.
> >
> > Input character Meaning in Transact-SQL
> > ; Query delimiter
> >
> > ' Character data string delimiter
> >
> > -- Comment delimiter
> >
> > /* ... */ Comment delimiters. Text between /*
and
> > */ is not evaluated by the server.
> >
> > Xp_ Begins the name of catalog extended
> > stored
> > procedures such as xp_cmdshell.
> >
> > You may need to refer the following article:
> >
> > SQL Injection
> > http://msdn2.microsoft.com/en-us/library/ms161953.aspx
> >
> > Hope this will be helpful!
> >
> > Sincerely,
> >
> > Wei Lu
> > Microsoft Online Community Support
> >
> > ==================================================> >
> > When responding to posts, please "Reply to Group" via your newsreader so
> > that others may learn and benefit from your issue.
> >
> > ==================================================> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> >
>|||Hi Nalaka,
Thank you for the update.
As Greg mentioned, there is some secury issue you should considered in you
application code.
SQL injection should be avoid.
You could refer the article I posted in the previous post.
SQL Injection
http://msdn2.microsoft.com/en-us/library/ms161953.aspx
Sincerely,
Wei Lu
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================This posting is provided "AS IS" with no warranties, and confers no rights.|||Thanks...
"Wei Lu" <weilu@.online.microsoft.com> wrote in message
news:ugdnCtVhGHA.5608@.TK2MSFTNGXA01.phx.gbl...
> Hi Nalaka,
> Thank you for the update.
> As Greg mentioned, there is some secury issue you should considered in you
> application code.
> SQL injection should be avoid.
> You could refer the article I posted in the previous post.
> SQL Injection
> http://msdn2.microsoft.com/en-us/library/ms161953.aspx
> Sincerely,
> Wei Lu
> Microsoft Online Community Support
> ==================================================> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>|||Hi Nalaka,
Glad to hear the information is helpful.
If you have any questions or concerns, please feel free to let me know.
Sincerely,
Wei Lu
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================This posting is provided "AS IS" with no warranties, and confers no rights.
other characters (codes) that represent single quote
Hi,
I am trying to replace every single quote with two "single quotes", prior to
sending the dynamic sql string to sql server.
( from a C# application)
(in this case I have to send a dynamic string, cannot do parametarized
queries)
Question is....
Is there any other character that sql server will interpret as a "single
quote"?
Any help is deeply appreciated.
Thanks
NalakaHi Nalaka,
Thank you for your post.
Based on my scope, I don't think SQL Server will interpret other character
as single quote.
Here I would like provide some information about passing dynamic string to
SQL Server:
When possible, reject input that contains the following characters.
Input character Meaning in Transact-SQL
; Query delimiter
' Character data string delimiter
-- Comment delimiter
/* ... */ Comment delimiters. Text between /* and
*/ is not evaluated by the server.
Xp_ Begins the name of catalog extended stored
procedures such as xp_cmdshell.
You may need to refer the following article:
SQL Injection
http://msdn2.microsoft.com/en-us/library/ms161953.aspx
Hope this will be helpful!
Sincerely,
Wei Lu
Microsoft Online Community Support
========================================
==========
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
========================================
==========
This posting is provided "AS IS" with no warranties, and confers no rights.|||Thanks Wei,
This is what I don't understand... theoretically if I replace every single
quote with two single quotes.. all is well.
But there is a ton of articles suggesting all these other precautions.....
Nalaka
"Wei Lu" <weilu@.online.microsoft.com> wrote in message
news:1Kfz6%23FhGHA.5608@.TK2MSFTNGXA01.phx.gbl...
> Hi Nalaka,
> Thank you for your post.
> Based on my scope, I don't think SQL Server will interpret other character
> as single quote.
> Here I would like provide some information about passing dynamic string to
> SQL Server:
> When possible, reject input that contains the following characters.
> Input character Meaning in Transact-SQL
> ; Query delimiter
> ' Character data string delimiter
> -- Comment delimiter
> /* ... */ Comment delimiters. Text between /* and
> */ is not evaluated by the server.
> Xp_ Begins the name of catalog extended
> stored
> procedures such as xp_cmdshell.
> You may need to refer the following article:
> SQL Injection
> http://msdn2.microsoft.com/en-us/library/ms161953.aspx
> Hope this will be helpful!
> Sincerely,
> Wei Lu
> Microsoft Online Community Support
> ========================================
==========
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ========================================
==========
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>|||"Nalaka" <nalaka12@.nospam.nospam> wrote in message
news:%23CKpYJOhGHA.2188@.TK2MSFTNGP04.phx.gbl...
> Thanks Wei,
> This is what I don't understand... theoretically if I replace every single
> quote with two single quotes.. all is well.
> But there is a ton of articles suggesting all these other
precautions.....
>
Most likely their concern for SQL injection attacks.
Basically any place you accept input, if you're not careful, a bad user
could do something like:
Enter First Name: dummy; select * from sysobjects
And if your select query isn't written well, it now becomes something like:
Select id from table where fname=dummy; select * from sysobjects and now
your sysobjects table has been returned to the hacker.
> Nalaka
>
> "Wei Lu" <weilu@.online.microsoft.com> wrote in message
> news:1Kfz6%23FhGHA.5608@.TK2MSFTNGXA01.phx.gbl...
character[vbcol=seagreen]
to[vbcol=seagreen]
and[vbcol=seagreen]
>|||Hi Nalaka,
Thank you for the update.
As Greg mentioned, there is some secury issue you should considered in you
application code.
SQL injection should be avoid.
You could refer the article I posted in the previous post.
SQL Injection
http://msdn2.microsoft.com/en-us/library/ms161953.aspx
Sincerely,
Wei Lu
Microsoft Online Community Support
========================================
==========
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
========================================
==========
This posting is provided "AS IS" with no warranties, and confers no rights.|||Thanks...
"Wei Lu" <weilu@.online.microsoft.com> wrote in message
news:ugdnCtVhGHA.5608@.TK2MSFTNGXA01.phx.gbl...
> Hi Nalaka,
> Thank you for the update.
> As Greg mentioned, there is some secury issue you should considered in you
> application code.
> SQL injection should be avoid.
> You could refer the article I posted in the previous post.
> SQL Injection
> http://msdn2.microsoft.com/en-us/library/ms161953.aspx
> Sincerely,
> Wei Lu
> Microsoft Online Community Support
> ========================================
==========
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ========================================
==========
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>|||Hi Nalaka,
Glad to hear the information is helpful.
If you have any questions or concerns, please feel free to let me know.
Sincerely,
Wei Lu
Microsoft Online Community Support
========================================
==========
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
========================================
==========
This posting is provided "AS IS" with no warranties, and confers no rights.
I am trying to replace every single quote with two "single quotes", prior to
sending the dynamic sql string to sql server.
( from a C# application)
(in this case I have to send a dynamic string, cannot do parametarized
queries)
Question is....
Is there any other character that sql server will interpret as a "single
quote"?
Any help is deeply appreciated.
Thanks
NalakaHi Nalaka,
Thank you for your post.
Based on my scope, I don't think SQL Server will interpret other character
as single quote.
Here I would like provide some information about passing dynamic string to
SQL Server:
When possible, reject input that contains the following characters.
Input character Meaning in Transact-SQL
; Query delimiter
' Character data string delimiter
-- Comment delimiter
/* ... */ Comment delimiters. Text between /* and
*/ is not evaluated by the server.
Xp_ Begins the name of catalog extended stored
procedures such as xp_cmdshell.
You may need to refer the following article:
SQL Injection
http://msdn2.microsoft.com/en-us/library/ms161953.aspx
Hope this will be helpful!
Sincerely,
Wei Lu
Microsoft Online Community Support
========================================
==========
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
========================================
==========
This posting is provided "AS IS" with no warranties, and confers no rights.|||Thanks Wei,
This is what I don't understand... theoretically if I replace every single
quote with two single quotes.. all is well.
But there is a ton of articles suggesting all these other precautions.....
Nalaka
"Wei Lu" <weilu@.online.microsoft.com> wrote in message
news:1Kfz6%23FhGHA.5608@.TK2MSFTNGXA01.phx.gbl...
> Hi Nalaka,
> Thank you for your post.
> Based on my scope, I don't think SQL Server will interpret other character
> as single quote.
> Here I would like provide some information about passing dynamic string to
> SQL Server:
> When possible, reject input that contains the following characters.
> Input character Meaning in Transact-SQL
> ; Query delimiter
> ' Character data string delimiter
> -- Comment delimiter
> /* ... */ Comment delimiters. Text between /* and
> */ is not evaluated by the server.
> Xp_ Begins the name of catalog extended
> stored
> procedures such as xp_cmdshell.
> You may need to refer the following article:
> SQL Injection
> http://msdn2.microsoft.com/en-us/library/ms161953.aspx
> Hope this will be helpful!
> Sincerely,
> Wei Lu
> Microsoft Online Community Support
> ========================================
==========
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ========================================
==========
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>|||"Nalaka" <nalaka12@.nospam.nospam> wrote in message
news:%23CKpYJOhGHA.2188@.TK2MSFTNGP04.phx.gbl...
> Thanks Wei,
> This is what I don't understand... theoretically if I replace every single
> quote with two single quotes.. all is well.
> But there is a ton of articles suggesting all these other
precautions.....
>
Most likely their concern for SQL injection attacks.
Basically any place you accept input, if you're not careful, a bad user
could do something like:
Enter First Name: dummy; select * from sysobjects
And if your select query isn't written well, it now becomes something like:
Select id from table where fname=dummy; select * from sysobjects and now
your sysobjects table has been returned to the hacker.
> Nalaka
>
> "Wei Lu" <weilu@.online.microsoft.com> wrote in message
> news:1Kfz6%23FhGHA.5608@.TK2MSFTNGXA01.phx.gbl...
character[vbcol=seagreen]
to[vbcol=seagreen]
and[vbcol=seagreen]
>|||Hi Nalaka,
Thank you for the update.
As Greg mentioned, there is some secury issue you should considered in you
application code.
SQL injection should be avoid.
You could refer the article I posted in the previous post.
SQL Injection
http://msdn2.microsoft.com/en-us/library/ms161953.aspx
Sincerely,
Wei Lu
Microsoft Online Community Support
========================================
==========
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
========================================
==========
This posting is provided "AS IS" with no warranties, and confers no rights.|||Thanks...
"Wei Lu" <weilu@.online.microsoft.com> wrote in message
news:ugdnCtVhGHA.5608@.TK2MSFTNGXA01.phx.gbl...
> Hi Nalaka,
> Thank you for the update.
> As Greg mentioned, there is some secury issue you should considered in you
> application code.
> SQL injection should be avoid.
> You could refer the article I posted in the previous post.
> SQL Injection
> http://msdn2.microsoft.com/en-us/library/ms161953.aspx
> Sincerely,
> Wei Lu
> Microsoft Online Community Support
> ========================================
==========
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ========================================
==========
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>|||Hi Nalaka,
Glad to hear the information is helpful.
If you have any questions or concerns, please feel free to let me know.
Sincerely,
Wei Lu
Microsoft Online Community Support
========================================
==========
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
========================================
==========
This posting is provided "AS IS" with no warranties, and confers no rights.
Subscribe to:
Posts (Atom)