How to escape the SqlDataSource.FilterExpression?

Question

How to escape the SqlDataSource.FilterExpression?

Navigation

#1 by (3 votes)

1

I have a function that adds a filter to SqlDataSource . This expression contains LIKE in the query. However, if the person places a character as ' , an error occurs (evidenced by SQL Injection).

string cliente = TB_Cliente.Text;

string retorno = "CodOrdemServico = CodOrdemServico ";

if (cliente.Length > 0)
{
   retorno += String.Format("AND Cliente LIKE '%{0}%'", cliente);
}

DS_Grid.FilterExpression = retorno;

How can I escape the LIKE above?

c# webforms

asked by anonymous 06.12.2017 / 12:46

1 answer

Limit the number of fields with Jquery Load DataGridView with MySql

score 3 · Accepted Answer

Use parameters in query .

DS_Grid.FilterExpression = "CodOrdemServico = CodOrdemServico AND Cliente LIKE '%{0}%'";
DS_Grid.FilterParameter.Add(new ControlParameter("Cliente", "TB_Cliente", "Text"));