Getting odd error on .net ExecuteNonQuery

Question

I'm working in .NET with SQL server on the backend

I have a database that I create a record in using a web control - then I need to update some of the fields.
I can trap the sql statement and run it in sql server successfully - however, when I try to run execute non-query I get the following error:

Unhandled Execution Error Incorrect syntax near '<'. at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) at System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName, Boolean async) at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe) at System.Data.SqlClient.SqlCommand.ExecuteNonQuery() at TestAPI.UpdateTicketValues(String srId) in D:\\Webs\\Internal\\veritythree.com\\SupportBeta\\TestAPI.ascx.vb:line 216 at TestAPI.Submit_Click(Object sender, EventArgs e) in D:\\Webs\\Internal\\veritythree.com\\SupportBeta\\TestAPI.ascx.vb:line 170 at System.Web.UI .WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) 0.517567748943243 0.511543

Here is my function:

Public Function UpdateTicketValues(ByVal srId As String) As Boolean
    Dim result As Boolean
    Dim myCDataReader As System.Data.SqlClient.SqlDataReader
    Dim myUConn As New System.Data.SqlClient.SqlConnection
    Dim myCCmd As New System.Data.SqlClient.SqlCommand
    Dim myUCmd As New System.Data.SqlClient.SqlCommand
    Dim strSQL As String

    strSQL = "SELECT Contact_RecId, First_Name, Last_Name, PhoneNbr, Extension, Email FROM vti_ContactInformation " & _
             "WHERE Company_RecId = " & CoId & " AND Email = '" & txtEmail.Text & "'"
    myCConn.Open()
    myUConn = New System.Data.SqlClient.SqlConnection("Data Source=x;Initial Catalog=x;User Id=x;Password=x;Trusted_Connection=False")
    myUConn.Open()
    myCCmd.Connection = myCConn
    myCCmd.CommandText = strSQL
    myCDataReader = myCCmd.ExecuteReader
    If myCDataReader.Read() Then
        'Run update with contact information
        strSQL = "UPDATE SR_Service " & _
                 "SET Contact_RecId = " & myCDataReader.GetValue(0) & ", " & _
                 "    Contact_Name = '" & myCDataReader.GetValue(1) & " " & myCDataReader.GetValue(2) & "', " & _
                 "    PhoneNbr = '" & myCDataReader.GetValue(3) & "', " & _
                 "    Extension = '" & myCDataReader.GetValue(4) & "', " & _
                 "    Email_Address = '" & myCDataReader.GetValue(5) & "' " & _
                 "WHERE SR_Service_RecId = " & srId & " "
        myUCmd.Connection = myUConn
        myUCmd.CommandText = strSQL
        'myCCmd.ExecuteNonQuery()
        lblServiceRequest.Text = myUCmd.CommandText
        result = True
    Else
        myUCmd.CommandText = ""
        result = False
    End If
    If myUCmd.CommandText <> "" Then
        myUCmd.ExecuteNonQuery()
    End If
    myCConn.Close()
    myUConn.Close()
    Return result
End Function

Any help is appreciated!

Answer 1

before i even look where the error might be i suggest you stop immediatly what your doing and first go change all sql code to use parameters. if you don't your site will be open to sql injection attacks that can destroy your database.

to find out where the problem is run profiler and check the stmt:starting and stmt:completed events.

Answer 2

My take on this is to break before executing the command. debug.print the commandtext, switch to sql query analyser and paste the sql-string there and run. Then youll see exactly what the problem is, if its in the command.

I think you have values that escapes the sql-string and that contains '< or something.

Answer 3

Aside from the other answers above relating to SQL Injection , you'll want to look at:

... " & CoId & " ...

... " & myCDataReader.GetValue(0) & " ...

... " & srId & " ...

These statements are not escaped so there's a good chance your error is there.

Answer 4

Most likely it would take less time to convert this code to be a parameterized query (which most likely would fix the bug in the process) than it would to track down the issue. No more risk of SQL injection, easier to read and you get an execution plan. Win win win!

The ease with which you can make a mistake concatenating strings like this is yet another reason to avoid doing your SQL this way.

Answer 5

Are you sure the error is in the UPDATE statement ? I think it is in the SELECT statement, as I can see from your stacktrace. Why don't you use parameters in that statement as well ?

Next to that, your piece of code can be written far more efficiently. Now, you execute a SELECT statement, and for each record in your result-set, you execute an UPDATE query. Know that SQL is set based, and that this can be written in one statement.

Something like that:

UPDATE sr_service
   SET contact_name = vti_ContactInformation.FirstName + ' ' + vti_ContactInformation.LastName
   ... your other columns ..
FROM vti_ContactInformation
WHERE sr_service.sr_service_recid = {yourid}

Make sure you replace {yourid} with the appropriate column. I haven't done it, since I couldn't directly see what value you assign to srId variable.

Answer 6

First things first; set to stop on exceptions (so you can see which non-query it is) -- then you'll be able to see the command text that is going wrong.

I'd also recommend converting these queries into stored procedures (or at least parameterised queries); not just for performance gains from execution plans, but also from a security point of view (consider what happens when txtEmail.Text is "'; drop table vti_ContactInformation; select '"

Answer 7

Thank you everyone - when I changed everything to parameters I found that the value in the srId variable had some hidden text (some xml tags leftovers). Once I got that straightened out, it worked perfectly.

Thanks for the pointers and good direction!