Injection attacks against .NET DataView RowFilter

Question

Injection attacks against .NET DataView RowFilter

So, I am writing a handler that filters the cached DataTable based on AppRelativeCurrentExecutionFilePath using the DataView RowFilter property. What is the best way to encode input to prevent injection?

Is the following enough? Is there a better / more elegant way?

dataView.RowFilter = String.Format("Name LIKE '{0}%'", EncodeString(query));

private string EncodeString(string s)
{
    StringBuilder sb = new StringBuilder();
    for (int i = 0; i < s.Length; i++)
    {
        char c = s[i];
        if (c == '*' || c == '%' || c == '[' || c == ']')
            sb.Append("[").Append(c).Append("]");
        else if (c == '\'')
            sb.Append("''");
        else
            sb.Append(c);
    }

    return sb.ToString();
}

+3

c # sql-injection encoding dataview rowfilter

Myitchychin Aug 12 '09 at 2:04

source share

1 answer

Yuriy faktorovich · Answer 1 · 2009-08-12T14:16:02+0000

You cannot enter sql in RowFilter.

Edit: as indicated, you can get all the rows in the table by injection, maybe something like the following work:

dataTable.AsEnumerable()
    .Where(r => r.Field<string>("StringColumn").Contains(userInput))
    .ToList().ForEach(r => Console.WriteLine(r.Field<string>("StringColumn")));

Injection attacks against .NET DataView RowFilter

More articles: