Category Archives: SQL

SqlParameter is already contained by another SqlParameterCollection

May 13, 2009 – 7:00 PM

I discovered an interesting bug today. While executing some SQL Stored Procedures via C# I was trying to reuse a SqlParameter. However, when the SqlParameter was added to a second SqlCommand, it would throw an error when trying to execute the second command. The error encountered was the “SqlParameter is already contained by another SqlParameterCollection“.

It seems that .Net’s garbage collection retains a reference to the SqlParameter used in the first SqlCommand. This reference seems to survive the closing and even disposing of the connection in use. As long as the SqlCommand object is in use, .Net seems to remember that it has already been used. To bypass this, simply call the sqlCommand.Parameters.Clear() method. You’ll need to readd the SqlParameter or SqlParameter[] to the SqlCommand and it’ll work.

By FailBoy | Also posted in .Net Framework, Development | Tagged , , , | Comments (0)

Procedure expects parameter ‘@statement’

May 11, 2009 – 8:00 PM

Recently I was working on a script to upgrade a database and was using some dynamic T-SQL to execute a command. I kept getting the error “Procedure expects parameter ‘@statement’ of type ‘ntext/nchar/nvarchar’”. Being true to my name (“FailBoy”) I knew I was doing something stupid. In my SQL Script I had declared something like this:

DECLARE @tSql VARCHAR(max)
SET @tSql = ‘<insert Dynamic query here>’
execute sp_executesql @tSql

Can you spot the problem? The problem is the declaration of the variable as VARCHAR. The execute sp_executesql procedure expects a NVARCHAR value. I simply replaced the VARCHAR with NVARCHAR and all worked perfectly.

By FailBoy | Also posted in Development | Tagged , , , | Comments (0)

Encrypting SQL connection string

May 6, 2009 – 2:19 PM

This is something that is so easy to configure yet I’ve seen it countless times where projects are deployed and the connection string in the web.config file is not encrypted. Regardless of how small your application is, it poses a challenge to someone somewhere to try break into it. Here I’ll show you something most people don’t even know about and depending on your code in your projects Data Access Layer you might not even need to change your code at all!

ASPNET_regiis:

When you initially install the .Net Framework, if you look carefully, you’ll see this little executable run. The aspnet_regiis executable is there to register the ASP.Net runtimes with IIS6 and you can use this to install Sql Server State Management on a web application. There is however some very interesting other things this little executable can do for you. One of which being automatically encrypting and decrypting your connection string in your website’s web.config file.

Encryption time:

Say for instance you have the following connection string in your web.config file. From this, your attacker would know exactly where your database server is located as well a valid username and password.

<configuration>
<connectionStrings>
<add name=”SqlConn” connectionString=”Server=dbServer; Database=pubs;
User Id=usrName; password= p4ssw0rd” providerName=
“System.Data.SqlClient” />
</connectionStrings>
</configuration>

To make sure your SQL location and account credentials stay secret, you should encrypt the connection string in the web.config file using the Aspnet_regiis utility with at least the Windows Data Protection API (DPAPI) protected configuration provider. By executing the following command in your Visual Studio Command Prompt, you will have successfully encrypted your connection string!

aspnet_regiis -pe “connectionStrings” -app “/WebApp” –prov “DataProtectionConfigurationProvider”

Just remember that this command is cAsE SeNsItIve. Remember to set /WebApp to the virtual path to your application.

Decrypting the Connection String:

This is the easiest part of all. When you retrieve your connection string from the web.config file, this is how you should do it:

string dbConn = ConfigurationManager.ConnectionString["SqlConn"].ToString();

By doing it this way, ASP.Net will automatically decrypt the connection string for you! This is recommended as a Best Practice by Microsoft and it is incredibly easy to implement. There is no excuse to not implement such basic security in your web based applications.

By FailBoy | Also posted in Best Practice, Development | Tagged , , | Comments (0)