Xancholy

I use a textbox to filter my datagridview's binding source on keydown.

I'm facing problems if the user enters apostrophes and other undesirable characters into the textbox.

"Fred's furnace" is a data item that is available in the datagridview. But when I enter "Fred's" in the textbox search it causes an exception.

Please can someone point me to a how-to in this case of avoiding sql injection.

Thanks in advance.


Re: .NET Framework Data Access and Storage sql injection :: filtering datagridview

Paul Louth

You should use parameterised queries rather than raw SQL statements:

http://codebetter.com/blogs/david.hayden/archive/2006/01/05/136264.aspx

http://www.codeproject.com/aspnet/SqlInjection.asp





Re: .NET Framework Data Access and Storage sql injection :: filtering datagridview

ahmedilyas

I agree. you should be using parameterized queries. As well as this, are you using a DataView to filter your results on the RowFilter property




Re: .NET Framework Data Access and Storage sql injection :: filtering datagridview

Xancholy

No, this is all new to me. I would really appreciate if you code show me some code to take user input from a textbox and run a parameterized query off an access database. And I'm not sure how to use a dataview to filter the rowfilter results.

Appreciate the help !




Re: .NET Framework Data Access and Storage sql injection :: filtering datagridview

Matt Neerincx

Filter datagridview you could just use the string.Replace to replace single apostrophes with double ones ->

dataGridView.Filter = "Country = '" & textBox1.Text().Replace("'","''") & "'"

This should work for you.






Re: .NET Framework Data Access and Storage sql injection :: filtering datagridview

Xancholy

Thanks. That worked great. How can I filter out unnecessary punctuation from the filter string to head off all exceptions