Home/ Questions/Q 9031431
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T07:43:51+00:00

Recently, I am doing filtering in the datatable via DataView in following way: public

  • 0

Recently, I am doing filtering in the datatable via DataView in following way:

        public static DataTable FilterDatatable(this DataTable dtable,string @operator, string colName, string colValue)
        {
            if (dtable != null && dtable.Rows.Count > 0)
            {
                DataView dataView = dtable.DefaultView;

                if (@operator.Equals(SqlOperator.Like , StringComparison.InvariantCultureIgnoreCase))
                {
                    dataView.RowFilter = colName + " " + @operator + " '%" + colValue + "%'";
                }
                else
                {
                    dataView.RowFilter = colName + " " + @operator + " " + colValue;
                }

                return dataView.ToTable();
            }
            return dtable;
        }

Here, I can write a method for preventing injection(those injection I know) but indeed, I don’t know the best way to prevent the injection in the datatable just like sql paramater.

Above method throws exception when I send single quote appended string as a argument in ColVal….

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You don’t need protection in that instance – DataTable.Select() is applying a filter to the DataRows held in-memory within that DataTable, it’s not actually connecting to/executing anything against the database.

    UPDATE

    how about creating this method to double any single instance of single quote

    private string MethodName(string str)
{
    return str.Replace("'", "''");
}

    so to use,

    dataView.RowFilter = colName + " " + @operator + " '%" + MethodName(colValue) + "%'";
    • 0