How to escape Sqldatasource.Filterexpression?

Question

How to escape Sqldatasource.Filterexpression?

Asked 6 years, 11 months ago

Viewed 27 times

1

I have a function that adds a filter to the SqlDataSource. That expression contains a LIKE at the consultation. However, if the person places a character such as ', an error (which evidences SQL Injection).

string cliente = TB_Cliente.Text;

string retorno = "CodOrdemServico = CodOrdemServico ";

if (cliente.Length > 0)
{
   retorno += String.Format("AND Cliente LIKE '%{0}%'", cliente);
}

DS_Grid.FilterExpression = retorno;

How can I escape the LIKE above?

your DS_Grid is a Sqldatasource?

– Pablo Tondolo de Vargas

2017/12/06 at 11:55
3

Bobby Tables sends his regards

– Maniero

2017/12/06 at 11:55
Yes, @Pablotondolodevargas

– Wallace Maxters

2017/12/06 at 11:56
2

@Maniero I get depressed seeing so many questions with SQL Injection, the worst they still teach in college using string concatenation.

– Pablo Tondolo de Vargas

2017/12/06 at 11:56
@Maniero this system was not made by me. I am giving maintenance :... I am ashamed to use this Web Forms :|

– Wallace Maxters

2017/12/06 at 11:58
See this: https://msdn.microsoft.com/en-us/library/xt50s8kz.aspx

– Maniero

2017/12/06 at 12:03

Show 1 more comment

1 answer

Browser other questions tagged c# webforms

You are not signed in. Login or sign up in order to post.

by Jéf Bueno • **67,331** points · Answer 1 · 2017-12-06T12:02:54+00:00

Use parameters in query.

DS_Grid.FilterExpression = "CodOrdemServico = CodOrdemServico AND Cliente LIKE '%{0}%'";
DS_Grid.FilterParameter.Add(new ControlParameter("Cliente", "TB_Cliente", "Text"));