This project has moved. For the latest updates, please go here.

Error after logon: Incorrect syntax near ','

May 26, 2010 at 4:31 PM
Edited May 26, 2010 at 4:32 PM

I'm not posting this (or my other issues) to the issue tracker since I'm not sure I'm not causing my on issues. I've gotten my logon and TicketDesk DB access issues ironed out, but now I get this error, Incorrect syntax near ',', when it tries to navigate to the TicketCenter2.aspx after logon, or any page that lists the auth user's tickets. Looks like a query's missing a value, but i ran SQL trace and can't seem to pinpoint the failed query right before the error is thrown and Elmah response appears. ,

Wondering if this has something to do with my using our existing membership provider instead of the one included in TicketDesk?

Any ideas on this? thanks!

Coordinator
May 26, 2010 at 4:48 PM

The easiest way to find out is to switch it over to a fresh database for the security providers and see if it still fails, or just use the stock data file and configuration and see. There aren't many places where a comma in the actual data should be able to cause that kind of error.

I'd appreciate it if you could include a detailed error output for me. The presence of that error may indicate the presence of a SQL injection vulnerability in the code.

Likely possible data fields that might result in that error would be: membership entries with commas in the comment column, user name column, or email column. Role entries with a rolename that includes a comma could be another possible source. Then there could be some malformed entries in the profile data.     

May 26, 2010 at 6:00 PM

[SqlException (0x80131904): Incorrect syntax near ','.]
   System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) +1953274
   System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) +4849707
   System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) +194
   System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) +2392
   System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) +204
   System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async) +954
   System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result) +162
   System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe) +175
   System.Data.SqlClient.SqlCommand.ExecuteNonQuery() +137
   Microsoft.SqlTableProfileProvider.SetPropertyValues(SettingsContext context, SettingsPropertyValueCollection collection) +3773
   System.Configuration.SettingsBase.SaveCore() +375
   System.Configuration.SettingsBase.Save() +93
   System.Web.Profile.ProfileBase.SaveWithAssert() +31
   System.Web.Profile.ProfileBase.Save() +63
   System.Web.Profile.ProfileModule.OnLeave(Object source, EventArgs eventArgs) +8776412
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +68
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

May 26, 2010 at 6:15 PM
Edited May 26, 2010 at 7:53 PM

Thanks for that info; I now suspect that it may be due to our use of a custom profile provider; I'm following up on that..

 

 

Coordinator
May 26, 2010 at 6:16 PM

well, the problem is clearly with the user's profile. First of all, check web.config and make sure the properties in the profile element are defined correctly (compare them to the stock ticketdesk config files to be sure).

Odds are the problem is directly within the profile data for the currently logged in user. I avoided any cross-reading of other people's profile data when I wrote ticketdesk; due to performance issues with the provider...

Once you are sure the web.config defines the profile properties correctly, you whip out the user's aspnet_profile table record completely. TicketDesk will re-generate the default profile record for that user automagically.... though it has no control over what the other application might have stored there. 

If you have some odd conflict with the profile data between multiple applications, you can change the application name in ticketdesk's web.config file for just the profile provider (not the membership and roles providers). This will cause ticketdesk to maintain a separate set of profile records for the users without interacting with the other application's profile records at all. The MS security provider DB schema allows this kind of mixed-application domain stuff quite well. 

May 26, 2010 at 7:55 PM

Thanx I'll try these; really appreciate the help! Great app and would really like to be able to use it with our site; cheers!