Hello,
We’ve been looking into an unexpected sporadic problem with SqlCommand.ExecuteXmlReader for some weeks now, hence this question.
Our set-up seems simple enough.
We’ve got a SharePoint 2013 intranet site on which external users can login via a membership provider.
After logging in the user gets to a web part page with a number of instances of a webpart we’ve built.
This webpart has two SharePoint property’s:
- SQL, which contains a parameterizable SQL-statement;
- XSLT, which contains the path to an XSLT-file.
These webparts are configured to each call a SQL view for the currently logged-on user, using a SqlCommand with a FOR XML clause. This way we can retrieve and format data dynamically as the customer wants it.
However, sometimes two users get to see each others data
in one of the webparts, while 3 other webparts give the correct results.
The problem isn't limited to one webpart instance either: sometimes an Invoices webpart will get the results of the Meeting webpart's query (for another user), but in those cases nothing is shown to the user due to the XSLT which doesn't recognize the result.
We’ve built in some logging to see where it goes wrong.
But in all these cases SqlCommand.ExecuteXmlReader uses the SQL view with the correct user.
Yet the resulting XmlDataReader returns the data for another currently logged-on user.
It happens more often than we first thought and is a huge privacy concern.
The SQL views called from the webparts make use of with (nolock) for performance reasons.
This is the main part of the code we are using:
using (SqlConnection mySqlConnection = new SqlConnection(sConnection))
using (SqlCommand mySqlCommand = new SqlCommand(sql, mySqlConnection))
{
mySqlCommand.CommandType = System.Data.CommandType.Text;
if (parameterArray.Length > 0)
mySqlCommand.Parameters.AddRange(parameterArray);
mySqlConnection.Open();
XmlReader reader = null;
string xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?><NewDataSet>";
try
{
reader = mySqlCommand.ExecuteXmlReader();
reader.Read();
while (!reader.EOF)
{
xml += reader.ReadOuterXml();
}
}
finally
{
if (reader != null) reader.Close();
}
inputXml = xml + "</NewDataSet>";
mySqlCommand.CommandText = "";
mySqlConnection.Close();
}The big question is: why are we sometimes getting the XML result of a SqlCommand of a different user which happens to be logged on at the same time?
Some additional info
- We estimate 300-400 users log on to the website every hour. In principle the site is being used 24 hours a day.
- We suspect this happens under heavy load on the server.
- We have enlarged Max Pool Size of our connection string to a high value (9000). This because we suspected the default value (100?) to be too low for the traffic on the site, but still erroneous cases have been logged since this modification.
- Also we thought we should try and use the SQL without with (nolock) for a while, to see if it makes any difference.
Any ideas on which things we should check?
Any thoughts on this would be greatly appreciated!
Ed